This article provides information to resolve the certificate issue for vVols after vCenter changes or CA certificate changes.

Symptoms:

1. After moving a host to another vCenter Server or after refreshing CA Certificate, you experience these symptoms: 

• Virtual Volumes (vVOL) datastores are not accessible.
• The command esxcli storage vvol vasaprovider list displays VP status as syncError.
• In the ESXi host /var/log/vvold.log, you see similar to:

[YYYY-MM-DDTHH:MM] warning vvold[4AC6B70] [Originator@6876 sub=Default] VasaSession::GetEndPoint: failed to get endpoint, err=SSL Exception: Verification parameters:

--> PeerThumbprint: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:E4:85:48:F8

--> ExpectedThumbprint:

--> ExpectedPeerName: <VASA Provider IP address>

--> The remote host certificate has these problems:

-->

--> * unable to get local issuer certificate, using default

[YYYY-MM-DDTHH:MM] info vvold[47B1B70] [Originator@6876 sub=Default] VasaSession::Initialize url is empty

[YYYY-MM-DDTHH:MM] warning vvold[47B1B70] [Originator@6876 sub=Default] VasaSession::DoSetContext: Empty VP URL for VP (xVP)!

[YYYY-MM-DDTHH:MM] info vvold[47B1B70] [Originator@6876 sub=Default] Initialize: Failed to establish connection https://<VASA Provider IP address>:8443/vasa/version.xml

[YYYY-MM-DDTHH:MM] error vvold[47B1B70] [Originator@6876 sub=Default] Initialize: Unable to init session to VP xVP state: 0

[YYYY-MM-DDTHH:MM] info vvold[4770B70] [Originator@6876 sub=Default] VVolUnbindManager::UnbindIdleVVols called

[YYYY-MM-DDTHH:MM] info vvold[4770B70] [Originator@6876 sub=Default] VVolUnbindManager::UnbindIdleVVols done for 0 VVols

[YYYY-MM-DDTHH:MM] info vvold[5ACBB70] [Originator@6876 sub=Default] Came to SI::GetVvolContainer: container <container-GUID>

[YYYY-MM-DDTHH:MM] info vvold[5ACBB70] [Originator@6876 sub=Default] SI:GetVvolContainer successful for Datastore, id=, maxVVol=0 MB

• Running the command esxcli storage vvol storagecontainer list returns similar to:

Datastore

   StorageContainer Name: Datastore

  UUID: vvol:xxxxxxxxxxxxxxxx-xxxxxxxxxxxx73602

  Array: com.vmware.vim:xxxxxxxx3e06-1000000

   Size(MB): 0

   Free(MB): 0

   Accessible: true

   Default Policy:

• Running the command esxcli storage vvol vasaprovider list returns any of these similar outputs:

Output#1

xVP
  VP Name: xVP
  URL:https://<VASA Provider IP address>:8443/vasa/version.xml
  Status: syncError
  Arrays:
        Array Id: com.vmware.vim:xxxxxxxx3e06-1000000
        Is Active: true
        Priority: 0

PowerStore VASA provider - PERS
   VP Name: PowerStore VASA provider - PERS
   URL: https://xx.xx.xx.xx:8443/version.xml
   Status:
      Offline: SSLError [SSL Exception: Verification parameters:
PeerThumbprint: 6D:C6:AF:4A:XX:XX:E5:42:XX:33:B7:XX:XX:XX:XX:A5:13:7B:8A:24
ExpectedThumbprint:
ExpectedPeerName: xx.xx.xx.xx
The remote host certificate has these problems:
* unable to get local issuer certificate]

VMware vSphere ESXi 8.0
VMware vSphere ESXi 7.0  
vCenter Server 8.0
vCenter Server 7.0

This issue occurs because the vVol ssl_reset is not occurring automatically when VMCA signed certificate is pushed to the host.

Suppose the vCenter custom certificate has been updated recently and the ESXi host is experiencing a thumbprint mismatch issue. In that case, this indicates that there is a thumbprint mismatch between the ESXi host and vCenter.

Note: If the ESXi hosts do not recognize the updated root certificate, they may reject communication with vCenter, leading to connectivity issues with vVols.

To work around this issue reset the vVold SSL certificate:

1. Migrate the virtual machines from the host and place it in maintenance mode.
2. Log in to the ESXi Shell with root user.
3. Run the command - /etc/init.d/vvold ssl_reset && /etc/init.d/vvold restart
4. Run the command - tail -f /var/log/vvold.log
5. Look for Empty VP URL for VP messages. If you still see Empty VP URL for VP messages the SSL certificate will need to re-generated on the ESXi host.
6. Edit the re-generated self-signed certificate. Log in to the ESXi Shell, navigate to /etc/vmware/ssl.
7. Rename the existing certificates:
   mv rui.crt orig.rui.crt
mv rui.key orig.rui.key
8. Run the command /sbin/generate-certificates to generate new certificates.
9. Confirm that the host successfully generated new certificates by running command ls -l and comparing the time stamps of the new certificate files with orig.rui.crt and orig.rui.key.
10. Go to vSphere Client, right click the ESXi host, click Certificates, Click Renew Certificate.
11. Run ls -l to ensure the date changed on the castore.pem file.
12. Reboot the ESXi host.
13. Once the host is up, run the command - tail -f /var/log/vvold.log

If you see errors, update the vCenter Server TRUSTED_ROOTS store.

   14. Disconnect and reconnect the ESXi host to the vCenter Server to resolve a mismatched SSL thumbprint in vCenter Server compared to the ESXi host.
   15. Run tail -f /var/log/vvold.log. to verify the error is no longer seen.

The expected output should be as below:
[YYYY-MM-DDTHH:MM] info vvold[8355B70] [Originator@6876 sub=default] SI:GetVvolVontainer successful for DataStoreName, id= maxVVol=0 MB ...

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

For the custom, certificate-updated vCenter or ESXi host try the below steps:

Download the root certificate from the vCenter server and update the root certificate to the ESXi nodes.

Please follow the steps mentioned in the following KB to download the Root vCenter certificate and update the the same in ESXi host.

Refer:

• Download vCenter Server root certificates (2108294)
• Adding vCenter Root certificate to ESXi hosts through CLI (317244)