Stateless ESX 9.0 Hosts Fail to Register IO Filters Due to Email Address Present in VMCA Certificate SAN Field "org.apache.axis2.AxisFault: Host name could not be verified!"
search cancel

Stateless ESX 9.0 Hosts Fail to Register IO Filters Due to Email Address Present in VMCA Certificate SAN Field "org.apache.axis2.AxisFault: Host name could not be verified!"

book

Article ID: 437072

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server

Issue/Introduction

  • After an ESX host boots following deployment through Auto Deploy, the following alert is observed on the vCenter Server:
    "Registration/unregistration of third-party IO filter storage providers fails on a host."

  • The manual "Synchronize Storage Providers" task fails on the vCenter Server.

    Registration of a IOFilter VASA Provider https://ESX_FQDN:1443/iofiltervp/version.xml failed - Port 1443 might be disabled on corresponding ESXi host or at Firewall level. Please refer kb#375445 for more info.
    VMware vCenter Storage Monitoring Service com.vmware.vc.sms.IoFilterVPRegisterFailure
    Date Time: <DATE>
    Type: Error
    User: VMware vCenter Storage Monitoring Service
    Target: ESX_FQDN
    Description: Registration of a IOFilter VASA Provider https://ESX_FQDN:1443/iofiltervp/version.xml failed - Port 1443 might be disabled on corresponding ESXi host or at Firewall level. Please refer kb#375445 for more info.
    Related events: There are no related events.

  • Following errors are seen on the vCenter:

    /var/log/vmware/vmware-sps/sps.log
    YYYY-MM-DDTHH:MM:SS.650Z [pool-29-thread-4] INFO  opId=iofilterVasa.cpp:###-#### com.vmware.vim.sms.provider.vasa.version.Version7Strategy - [queryVasaProviderInfo] Get VasaProviderInfo for provider: https://ESX_FQDN:1443/iofiltervp/version.xml
    YYYY-MM-DDTHH:MM:SS.678Z [pool-29-thread-4] ERROR opId=iofilterVasa.cpp:###-#### com.vmware.vim.sms.util.CustomHostNameVerifier - [verify] Hostname verification failed for host: ##.##.##.##. SAN extension contains entry {1} other than iPAddress or dNSName
    YYYY-MM-DDTHH:MM:SS.678Z [pool-29-thread-4] ERROR opId=iofilterVasa.cpp:###-#### com.vmware.vim.sms.client.VasaClientImpl - [registerVCClientCertificate] Remote exception
                      org.apache.axis2.AxisFault: Host name could not be verified!
    YYYY-MM-DDTHH:MM:SS.679Z [pool-29-thread-4] ERROR opId=iofilterVasa.cpp:###-#### com.vmware.vim.sms.provider.vasa.VasaProviderImpl - [init] Provider creation failed :
                      com.vmware.vim.binding.sms.fault.ProviderRegistrationFault: Error in queryVasaProviderInfo org.apache.axis2.AxisFault: Host name could not be verified!

  • This issue is not observed on ESXi 8.0 hosts.

  • Renewing the host certificates using VMCA on the vCenter Server allows the "Synchronize Storage Providers" task to complete successfully, and the IO filter registers as expected.

Environment

VMware ESX 9.0
VMware vCenter 9.0

Cause

Storage Policy-Based Management (SPBM) does not ignore the email-based SAN entry during hostname verification, which leads to the failure observed during IO filter registration.

Resolution

Broadcom Engineering is aware of this issue, and a fix is planned for a future release.

Workaround
To prevent the email address from being included in the SAN field, modify the vCenter advanced setting as outlined below:

  1. In the vSphere Client, navigate to vCenter Server → Configure → Advanced Settings.
  2. In the filter field, search for the parameter vpxd.certmgmt.certs.cn.email.
  3. Edit the parameter and set its value to empty(blank).
  4. Save the changes and verify that the updated value has been applied successfully.
  5. Proceed with the stateless deployment using Auto Deploy after confirming the change.
Powered by Wolken Software