ESXi 7.X and later host newly added to vCenter is unable to access vVOl datastore
Article ID: 318746
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- ESXi 7.X and later host newly added to vCenter is unable to access the vVOl datastore.
- The environment implements self-signed certificates.
Environment
VMware vSphere ESXi 7.0.X
VMware vSphere ESXi 8.0.X
Cause
- From ESXi 6.7U3 release, the following host agent settings are available with the listed default values:
Key |
Default |
Description |
|---|---|---|
Config.HostAgent.ssl.keyStore.allowAny |
false |
Allow any certificates to be added to the host CA store. Disables CA Checks. |
Config.HostAgent.ssl.keyStore.allowSelfSigned |
false |
Allow self-signed certficates to be added to the host CA store. |
Config.HostAgent.ssl.keyStore.discardLeaf |
true |
Discard leaf certificates when adding to CA store. Leaf certificates in a CA store are generally a misconfiguration. |
- These settings will not impact existing self-signed certs in the trust store of a host. However, they will disallow any new self-signed certs from being added to a host’s trust store.
- An upgrade would hence not impact existing vVol datastores mounted on a host, a fresh installed host will however not be able to make a session with the VASA provider. vCenter will not be able to push self-signed certs to a host newly added to vCenter.
Resolution
In the case of:
- ESXi 7.X and later host newly added to vCenter
- ESXi hosts that are freshly installed with a 7.X or later release
- ESXi hosts upgraded to a 7.X or later release, where vCenter/host certificates have been renewed or replaced
The listed hostAgent settings will need to be toggled from their default settings before vVol datastores can be accessed on such hosts, i.e.:
Config.HostAgent.ssl.keyStore.allowAny => trueConfig.HostAgent.ssl.keyStore.allowSelfSigned => trueConfig.HostAgent.ssl.keyStore.discardLeaf => falseFeedback
Yes
No
Powered by
