vSAN File Service shows "Domain not configured" with error "The operation is not allowed in the current state" attempting to configure the domain fails
Article ID: 413065
Updated On:
Products
Issue/Introduction
Configuring vSAN File Service fails with a message about configuring the domain
When attempting to configure the domain, it fails with a message "The operation is not allowed in the current state"
In Recent Tasks there are the following errors "The operation is not allowed in the current state. vSAN file service is not enabled on this host yet."
Environment
vSAN 8.0
vSAN 7.0
vSAN 9.0
vSAN File service
Cause
This is related to an EAM API call failing with CertificateNotTrustedFault or EAM agent has CertificateNotTrusted issue
You can confirm this issue by reviewing the EAM logs under: /var/log/vmware/eam/eam.log where you will see an error similar to the following:
2025-10-02T03:23:53.249Z | INFO | vlsi | URLConnectionSpecFactory.java | 88 | Created URLConnectionSpec(urlLocation:https://##########.#######.com:443/vsanHealth/fileService/ovf/8.0.3.1000-24859861/VMware-vSAN-File-Services-Appliance-8.0.3.1000-24859861_OVF10.ovf, certificateVerification:true, certificateConfigured:false, headers: {} using default system VECS/system CAs trust
2025-10-02T03:23:53.661Z | ERROR | vlsi | LegacyAgencyBase.java | 1154 | Agent OVF URL is not trusted.
com.vmware.eam.security.trust.NotTrusted: Suitable trust, not found!
Resolution
Resolve the EAM trust issue either by disabling trust or installing cert trust, or refresh the Machine cert
Option 1: Configure the trust via EAM API.
Do one of the following options below to create leaf trust, or disable trust to OVF URL.
To keep cert verification and have secure download to external URL.
- Configure a leaf SSL certificate that is to be trusted for the OVF (either stored in vCenter or external URL).
- run the following command in the vCenter CLI
/usr/lib/vmware-eam/bin/eam-utility.py install-cert <"OVF_URL">Use the full URL from the error for example:
/usr/lib/vmware-eam/bin/eam-utility.py install-cert "https://it-vcenter-example.com:443/vsanHealth/fileService/ovf/8.0.3.1000-24859861/VMware-vSAN-File-Services-Appliance-8.0.3.1000-24859861_OVF10.ovf"
- run the following command in the vCenter CLI
To bypass cert verification with unsecure download possible,
- Disable the SSL verification for certificate to that OVF when trying to access a specific OVF URL.
- run the following command in the vCenter CLI
/usr/lib/vmware-eam/bin/eam-utility.py disable-trust <OVF_URL>Use the full URL from the error for example:
/usr/lib/vmware-eam/bin/eam-utility.py disable-trust "https://it-vcenter-example.com:443/vsanHealth/fileService/ovf/8.0.3.1000-24859861/VMware-vSAN-File-Services-Appliance-8.0.3.1000-24859861_OVF10.ovf"
- run the following command in the vCenter CLI
Reference KB: EAM API call fails with CertificateNotTrustedFault or EAM agent has CertificateNotTrusted issue.
Option 2, refresh the Machine cert in VECS (VMware Endpoint Certificate Store) for the vCenter server.
An outdated or mismatching certificate data between the cert and VECS can cause the trust mismatch. To resolve, you can refresh the certificate in VECS with the current machine certificate for vCenter. Which will update endpoints to the current certificate chain.
To learn more about VECS and reviewing the certificates stored in VECS, please see this KB.
Additional Information
EAM API call fails with CertificateNotTrustedFault:
EAM API call fails with CertificateNotTrustedFault or EAM agent has CertificateNotTrusted issue.
Upgrade Pre-check states "Source ESX Agent Manager Configuration contains URLs that are not trusted by the System:
Manually reviewing VECS:
Manually reviewing certificates in VMware Endpoint Certificate Store for vSphere 6.x and 7.x
If vSAN File Services has already been deployed and configured but will not upgrade with EAM API call failing with CertificateNotTrustedFault or EAM agent has CertificateNotTrusted issue see KB: vSAN file service does not redeploy vSANFS nodes
Feedback
