vSAN file service does not redeploy vSANFS nodes

Products

VMware vSAN

Issue/Introduction

vSAN file service does not deploy nodes after being removed.

This can occur during an upgrade of ESXi or upgrading vSAN file service,
If vSAN was enabled or disabled, where redeploy of nodes may have been necessary reason.

You may see a health check in Skyline health indicating an issue with vSAN file services infrastructure.

File server not found
VDFS daemon and sockrelay are not running
Sockrelay is not running

When attempting to start socketrelay on the host through SSH using command: /etc/init.d/fsvmsockrelay start, you will get the below error

vSAN File Service Node cannot be found on this host
- sockrelay is not running

If vSAN file services was disabled during upgrade, this can cause vSphere ui errors when trying to edit vSAN file services. This will resolve it self when all hosts are upgraded and match same version. You will still observe the 'EAM certificate trust' as well in the logs.

In vCenter under the vSAN cluster configuration settings, vSAN file services tab does not load.
- Unable to extract requested data. Check vSphere Client logs for details.

Environment

vSAN 7.x
vSAN 8.x
vSAN 9.x
vSAN File Service

Cause

This is related to an EAM API call failing with CertificateNotTrustedFault or EAM agent has CertificateNotTrusted issue

You can confirm this issue by reviewing the EAM logs under: /var/log/vmware/eam/eam.log where you will see an error similar to the following:

2025-10-02T03:23:53.249Z |  INFO | vlsi | URLConnectionSpecFactory.java | 88 | Created URLConnectionSpec(urlLocation:https://##########.#######.com:443/vsanHealth/fileService/ovf/8.0.3.1000-24859861/VMware-vSAN-File-Services-Appliance-8.0.3.1000-24859861_OVF10.ovf, certificateVerification:true, certificateConfigured:false, headers: {} using default system VECS/system CAs trust
2025-10-02T03:23:53.661Z | ERROR | vlsi | LegacyAgencyBase.java | 1154 | Agent OVF URL is not trusted.
com.vmware.eam.security.trust.NotTrusted: Suitable trust, not found!

Resolution

Resolve the EAM trust issue either by disabling trust or installing cert trust, or refresh the Machine cert

Option 1: Configure the trust via EAM API.

Do one of the following options below to create leaf trust, or disable trust to OVF URL.

To keep cert verification and have secure download to external URL.

Configure a leaf SSL certificate that is to be trusted for the OVF (either stored in vCenter or external URL).

run the following command in the vCenter CLI

/usr/lib/vmware-eam/bin/eam-utility.py install-cert <"OVF_URL">

Use the full URL from the error for example:

/usr/lib/vmware-eam/bin/eam-utility.py install-cert "https://it-vcenter-sf-01v.lucasfilm.com:443/vsanHealth/fileService/ovf/8.0.3.1000-24859861/VMware-vSAN-File-Services-Appliance-8.0.3.1000-24859861_OVF10.ovf"

To bypass cert verification with unsecure download possible,

Disable the SSL verification for certificate to that OVF when trying to access a specific OVF URL.

run the following command in the vCenter CLI

/usr/lib/vmware-eam/bin/eam-utility.py disable-trust <OVF_URL>

Use the full URL from the error for example:

/usr/lib/vmware-eam/bin/eam-utility.py disable-trust "https://it-vcenter-sf-01v.lucasfilm.com:443/vsanHealth/fileService/ovf/8.0.3.1000-24859861/VMware-vSAN-File-Services-Appliance-8.0.3.1000-24859861_OVF10.ovf"

Reference KB: EAM API call fails with CertificateNotTrustedFault or EAM agent has CertificateNotTrusted issue.

Option 2, refresh the Machine cert in VECS (VMware Endpoint Certificate Store) for the vCenter server.

An outdated or mismatching certificate data between the cert and VECS can cause the trust mismatch. To resolve, you can refresh the certificate in VECS with the current machine certificate for vCenter. Which will update endpoints to the current certificate chain.

To learn more about VECS and reviewing the certificates stored in VECS, please see this KB.