nfs file share inaccessible inaccessible after the vCenter and hosts upgraded to 8.0.x
search cancel

nfs file share inaccessible inaccessible after the vCenter and hosts upgraded to 8.0.x

book

Article ID: 392011

calendar_today

Updated On:

Products

VMware vSAN

Issue/Introduction

NFS files shares configured using vSAN file services are inaccessible after upgrading the vCenter and hosts to vSphere 8.0.x

vSAN cluster would report health warnings on vSAN skyline health for file services.

 

The services tab for the file service would show an error "Unable to extract requested data. Check vSphere Client logs for details." on vCenter UI.

- FSVMs are missing from the cluster.

Environment

VMware vSAN 8.0.x

Cause

The issue is due to a change in the vSAN file services.

When there is a chain of SSL certificated configured and vSAN file service is looking for trust using machine SSL, this issue is observed.

/var/log/vmware/eam/eam.log on vCenter shows the below events.

2025-02-27T08:03:57.640Z |  INFO | vlsi | URLConnectionSpecFactory.java | 88 | Created URLConnectionSpec(urlLocation:https://vcenter:443/vsanHealth/fileService/ovf/7.0.3.1000-23794027/VMware-vSAN-File-Services-Appliance-7.0.3.1000-23794027_OVF10.ovf, certificateVerification:true, certificateConfigured:false, headers: {} using default system VECS/system CAs trust
2025-02-27T08:03:57.666Z | ERROR | vlsi | LegacyAgencyBase.java | 1154 | Agent OVF URL is not trusted.
com.vmware.eam.security.trust.NotTrusted: Suitable trust, not found!

2025-03-12T07:04:37.890Z |  INFO | vlsi | URLConnectionSpecFactory.java | 88 | Created URLConnectionSpec(urlLocation:https://vcenter:443/vsanHealth/fileService/ovf/8.0.3.1000-24022510/VMware-vSAN-File-Services-Appliance-8.0.3.1000-24022510_OVF10.ovf, certificateVerification:true, certificateConfigured:false, headers: {} using default system VECS/system CAs trust
2025-03-12T07:04:38.024Z | ERROR | vlsi | LegacyAgencyBase.java | 1154 | Agent OVF URL is not trusted.
com.vmware.eam.security.trust.NotTrusted: Suitable trust, not found!

Resolution

The issue is fixed in future builds. However, the below workaround can be used to resolve the issue.

Workaround:

Please follow the workaround to configure the SSL trust via an EAM script.

To configure a leaf SSL certificate that is to be trusted for a specific VIB or OVF URL

  1. Login to VCSA through SSH using root.
  2. Run the below command:

 #/usr/lib/vmware-eam/bin/eam-utility.py install-cert <VIB/OVF URL>

Note:

  • The operation above can be reverted by running: eam-utility.py uninstall-cert <VIB/OVF URL>
  • The agency owner can also do the SSL trust configuration via the EAM API. In this case, it takes precedence over the configuration made via the script /usr/lib/vmware-eam/bin/eam-utility.py.

Reference:

EAM API call fails with CertificateNotTrustedFault or EAM agent has CertificateNotTrusted issue

vSAN file service will not deploy nodes

Powered by Wolken Software