vVol datastore inaccessible after storage provider certificate change
search cancel

vVol datastore inaccessible after storage provider certificate change

book

Article ID: 404342

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms: 

  • vVol datastore is in inaccessible state after storage provider certificate change 
  • Storage provider shows as online from VCenter 

         VCenter --Configure--Storage Provider 

           

  • Esxi host certificate is self-signed. 

Validation Steps : 

  • Vasaprovider sync status is showing as error 

   [root@ESXI:/vmfs/volumes/648883df-####-ee52-####/log] esxcli storage vvol vasaprovider list
   VP Name: ##_###_####-####
   URL: https://##.##.93.##:/vasa
   Status: syncError
   Arrays:
   Array Id: com.hp.3par:###:array:###
   Is Active: true
   Priority: 255

  • Found storage container is showing as false 

    [root@ESXI:/vmfs/volumes/648883df-###-###-###/log] esxcli storage vvol storagecontainer list
    ###_###_###_##_###
    StorageContainer Name: ##_###_##_##_###

    UUID: vvol:####-bbf#####
    Array: com.hp.###:0x###:array:####
    Size(MB): 0
    Free (MB): 0
    Accessible: false
    Default Policy:

  • Validate vpxd.log for Sync issues with vasaprovider. 

    Log Path : Vcenter :  less /var/log/vmware/vpxd/vpxd.log

          2025-07-15T13:47:06.486+03:00 [pool-16-thread-1] ERROR opId=sps-Main-###-626 com.vmware.vslm.catalog.sync.CatalogSyncManager - task failed because:(vim.fault.InaccessibleDatastore) {
     faultCause = null,
     faultMessage = null,
     datastore = ManagedObjectReference: type = Datastore, value = datastore-1##, serverGuid = 0c4###-###-4##-###c-######,
     name = Local_datastore
     detail = notAccessible
     }
     at com.vmware.vslm.catalog.sync.CatalogSyncManager.lambda$queryCatalogChangeAsync$1(CatalogSyncManager.java:323) ~[vslm-1.0.jar:?]
     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_351]
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_351]
     at java.lang.Thread.run(Thread.java:750) [?:1.8.0_351]
     2025-07-15T13:47:06.487+03:00 [pool-25-thread-1] ERROR opId=sps-Main-###-6## com.vmware.vslm.globalcache.sync.task.DatastoreCatalogChangeTask - Datastore ds:///vmfs/volumes/5####b-###-###-0#####8/  is inaccessible
     2025-07-15T13:47:06.487+03:00 [pool-25-thread-1] INFO  opId=sps-Main-###-6## com.vmware.vslm.globalcache.GlobalCatalogCache - Synchronizing datastore ds:///vmfs/volumes/5f350ad2-###-b216-####/ forceFullSync = false

Environment

VMware vSphere ESXI 8.x 

Cause

vCenter is unable to push certificates from TRUSTED_ROOTS & TRUSTED_ROOT_CRLS to the ESXi host because The ESXi host has parameter Config.HostAgent.ssl.keyStore.allowSelfSigned is set to false

Cause Validation 

  • Validate from Esxi host--Configure-->Advanced Settings 

   

 

  • Validate vvold.log from esxi host and check below if certificate is  showing Empty VP URL for VP. 

        Log path : less /var/run/log/vvold.log

  
        2025-07-15T10:04:51.893Z warning vvold[2##3] [Originator@6876 sub=Default opID=lro-##-##-64-##] VasaSession :: GetEndPoint: failed to get endpoint, err=SSL Exception: Verification parameters:
      -- > Peer Thumbpr int: ##:D6:09:F1 :##: ##:##:01:##:56:##:CB:##:##:DF:##:##:##:##
      -- > ExpectedThumbprint :
       -- > ExpectedPeerName: ##.##.##.##
       The remote host certificate has these problems:

        -- > * self signed certificate, using default
       2025-07-15T10:04:51.893Z info vvold[2100993] [Or iginator@6876 sub=Default opID=lro-3982-59cbb3-64-a297] VasaSession :: Initialize url is empty
       2025-07-15T10:04:51.893Z warning vvold[2100993] [Originator@6876 sub=Default opID=Iro##-59cbb3-64-a297] VasaSession: :DoSetContext: Empty VP URL for VP (S##_##_3##-##) !
       2025-07-15T10:04:51.893Z info vvold[2100993] [Originator@6876 sub=Default opID=lro-3982-###-64-a297] Initialize: Failed to establish connection https://1#.##.##.##:9997/vasa
       2025-07-15T10:04:51.893Z error vvold[2100993] [Originator@6876 sub=Default opID=lro-3982-##-64-a297] Initialize: Unable to init session to VP SEC_###_3P##-CZ## state: 0
       2025-07-15T10:04:51.893Z error vvold[2100994] [Originator@6876 sub=I0.Http opID=lro-3982-59cbb3-64-a297] User agent failed to send request: (null), N7Vmacore3Ss 118SSLVer ifyExceptionE(SSL Exception: Verificationparameters:
     -- > Peer Thumbpr int : ##:##:##:##:## :##:##:##:01:##:##:3#:##:##:##:##:37:##:##:##
     -- > ExpectedThumbprint:
     -- > ExpectedPeerName: ##.##.##.##
     -- > The remote host certificate has these problems:
     -- >
     -- > * self signed certificate)
     

Resolution

1.Change esxi host perameter Config.HostAgent.ssl.keyStore.allowSelfSigned to true as its self-signed. It allows an ESXi host to accept any certificate in the trust store.

 

Additional information:   

There are 2 important settings we need to know about that impacts the vVol PE, they are vpxd.certmgmt.mode in vCenter & Config.HostAgent.ssl.keyStore.allowSelfSigned in ESXi host

  Config.HostAgent.ssl.keyStore.allowSelfSigned  False  : You can only add CA (CRL Signed) self-signed certificates to the ESXi trust store, that is, certificates that have the CA bit set to true.     

  Config.HostAgent.ssl.keyStore.allowSelfSigned  True  :  It allows an ESXi host to accept any certificate in the trust store. This option allows both non-CA & CA self-signed certificates

  Please determine the type of certificate you are using (self-signed/intermediate/custom) and then set the vpxd.certmgmt.mode in vCenter to vmca OR custom.

2. Once the above parameter changed renew the certificates from ESXI host

   Click on ESXI host --> configure --certificate--Renew

   

Powered by Wolken Software