The server on port 2380 is used only for direct internal communication between the 3 Etcd instances that form the ClusterStore, and it uses a certificate that is self-signed by design. This connection uses mutual TLS (mTLS), where each peer verifies the other’s identity using certificates stored in a dedicated trust store. Since mTLS support is not enforced for any replaceable certificates on ESXi, none of those can be used for this purpose. The ClusterAgent service creates the keys as 2048-bit RSA, manages and renews the certificates, and securely shares the certificates to form the trust store. All of these are stored in the ClusterAgent's private directory on the host's OSDATA volume.

This server is working as designed, as the described mechanism does not support using a CA-provided certificate. The port 2380 server is not present on ESXi 9.1 and future versions, as the ClusterStore feature no longer uses Etcd.

Port can be safely ignored.