This article provides information to on how resolve an issue for Virtual Volumes (vVols) that might arise after renewing or replacing certificates in either ESXi or vCenter Server. After moving an ESXi host to another vCenter Server, refreshing or replacing CA Certificates, the following symptoms might be observed:
offline or with a syncError:# esxcli storage vvol vasaprovider list/var/run/log/vvold.log, contains an error stack similar to the following example:[YYYY-MM-DDTHH:MM] warning vvold[4AC####] [Originator@6876 sub=Default] VasaSession::GetEndPoint: failed to get endpoint, err=SSL Exception: Verification parameters:
--> PeerThumbprint: ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:E4:85:48:F8
--> ExpectedThumbprint:
--> ExpectedPeerName: <VASA Provider IP address>
--> The remote host certificate has these problems:
-->
--> * unable to get local issuer certificate, using default
[YYYY-MM-DDTHH:MM] info vvold[47B1B70] [Originator@6876 sub=Default] VasaSession::Initialize url is empty
[YYYY-MM-DDTHH:MM] warning vvold[47B1B70] [Originator@6876 sub=Default] VasaSession::DoSetContext: Empty VP URL for VP (xVP)!
[YYYY-MM-DDTHH:MM] info vvold[47B1B70] [Originator@6876 sub=Default] Initialize: Failed to establish connection https://<VASA Provider IP address>:8443/vasa/version.xml
[YYYY-MM-DDTHH:MM] error vvold[47B1B70] [Originator@6876 sub=Default] Initialize: Unable to init session to VP xVP state: 0
[YYYY-MM-DDTHH:MM] info vvold[4770B70] [Originator@6876 sub=Default] VVolUnbindManager::UnbindIdleVVols called
[YYYY-MM-DDTHH:MM] info vvold[4770B70] [Originator@6876 sub=Default] VVolUnbindManager::UnbindIdleVVols done for 0 VVols
[YYYY-MM-DDTHH:MM] info vvold[5ACBB70] [Originator@6876 sub=Default] Came to SI::GetVvolContainer: container <container-GUID>
[YYYY-MM-DDTHH:MM] info vvold[5ACBB70] [Originator@6876 sub=Default] SI:GetVvolContainer successful for Datastore, id=, maxVVol=0 MBesxcli storage vvol storagecontainer list returns results similar to:Datastore
StorageContainer Name: Datastore
UUID: vvol:################-############73602
Array: com.vmware.vim:xxxxxxxx3e06-1000000
Size(MB): 0
Free(MB): 0
Accessible: true
Default Policy:esxcli storage vvol vasaprovider list returns either of the following outputs:xVP
VP Name: xVP
URL:https://<VASA Provider IP address>:8443/vasa/version.xml
Status: syncError
Arrays:
Array Id: com.vmware.vim:########3e06-1000000
Is Active: true
Priority: 0or PowerStore VASA provider - PERS
VP Name: PowerStore VASA provider - PERS
URL: https://<VASA Provider IP address>:8443/version.xml
Status: Offline: AuthenticationError [SSL_ERROR_SSL error:0A000086:SSL routines::certificate verify failed unable to get local issuer certificate / SSL/TLS handshake failed]Apply the following steps:
root user and run the following command:# /etc/init.d/vvold ssl_reset && /etc/init.d/vvold restartDownload the root certificate from the vCenter server and update the root certificate to the ESXi host by implementing the steps outlined in the following Knowledge Base articles:
root user.# /etc/init.d/vvold ssl_reset && /etc/init.d/vvold restart# tail -f /var/log/vvold.logEmpty VP URL for VP. If vvold still reports Empty VP URL for VP despite the steps in the earlier sections having been applied, the hosts SSL ertificate will need to be re-generated./etc/vmware/ssl.# mv rui.crt orig.rui.crt
# mv rui.key orig.rui.key# /sbin/generate-certificates# ls -l and comparing the time stamps of the new certificate files with orig.rui.crt and orig.rui.key.# openssl x509 -in /etc/vmware/ssl/rui.crt -noout -startdate -enddate# ls -lt /etc/vmware/ssl to confirm that the date changed on the castore.pem file.# tail -f /var/log/vvold.logto verify the error is no longer seen.[YYYY-MM-DDTHH:MM] info vvold[8355B70] [Originator@6876 sub=default] SI:GetVvolVontainer successful for DataStoreName, id= maxVVol=0 MB ...