vCenter alarm for "Alarm for Registration/unregistration of third-party IO filter storage providers fails"
Article ID: 399536
Updated On:
Products
Issue/Introduction
You would see following error messages on esxi host from log location , /var/run/log/iofiltervpd.log
YYYY-MM-DDTHH:MM:SSZ iofiltervpd[2099355]: run:199:SSL Connection error 30 : SSL_ERROR_SSL
YYYY-MM-DDTHH:MM:SSZ iofiltervpd[2099355]: error:0A000416:SSL routines::sslv3 alert certificate unknownEnvironment
- VMware vSphere ESXi 7.x
- VMware vSphere ESXi 8.x
Cause
The issue occurs when the Subject Alternative Name (SAN) or Common Name (CN) values in the ESXi host certificate do not match the host’s configured FQDN, short name, or IP address. This mismatch can lead to:
- Certificate validation errors in vCenter Server.
- SSL/TLS handshake failures between ESXi and vCenter.
- Warnings about untrusted or invalid certificates during host connection or management operations.
Updating the SAN and CN values ensures that the certificate properly reflects the host’s identity and resolves these connectivity and validation issues.
Resolution
-
Validate the CN and SAN values in the ESXi certificate using the following command:
openssl x509 -in /etc/vmware/ssl/rui.crt -noout -text | less
-
To update the CN and SAN values, follow these steps:
-
Take a backup of the generate-certificates file:
cd /usr/sbin cp generate-certificates generate-certificates-bkp
-
Edit the backup file and update the SAN field:
vi generate-certificates-bkp
Example entry for SAN field:
DNS:esxi-fqdn.local,DNS:###.##
#.###.###,DNS:esxi-fqdn (FQDN, IP address, and short name of the ESXi host)
-
Replace the modified backup file with the original:
cp generate-certificates-bkp generate-certificates
-
Regenerate the self-signed certificate:
/sbin/generate-certificates
-
Restart the hostd and vpxa services:
/etc/init.d/hostd restart && /etc/init.d/vpxa restart
-
Feedback
