This article provides information to resolve the certificate issue for vVols after vCenter changes or CA certificate changes.
Symptoms:
1. After moving a host to another vCenter Server or after refreshing CA Certificate, you experience these symptoms:
esxcli storage vvol vasaprovider list
displays VP status as syncError./var/log/vvold.log
, you see similar to:esxcli storage vvol storagecontainer list
returns similar to: esxcli storage vvol vasaprovider list
returns similar to:Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
VMware vSphere ESXi 8.0
VMware vSphere ESXi 7.0
vCenter Server 8.0
vCenter Server 7.0
This issue occurs because the vVol ssl_reset is not occurring automatically when VMCA signed certificate is pushed to the host.
Suppose the vCenter custom certificate has been updated recently and the ESXi host is experiencing a thumbprint mismatch issue. In that case, this indicates that there is a thumbprint mismatch between the ESXi host and vCenter.
Note: If the ESXi hosts do not recognize the updated root certificate, they may reject communication with vCenter, leading to connectivity issues with vVols.
To work around this issue reset the vVold SSL certificate:
/etc/init.d/vvold ssl_reset && /etc/init.d/vvold restart
tail -f /var/log/vvold.log
/etc/vmware/ssl
.mv rui.crt orig.rui.crt
mv rui.key orig.rui.key
/sbin/generate-certificates
to generate new certificates.ls -l
and comparing the time stamps of the new certificate files with orig.rui.crt
and orig.rui.key.
ls -l t
o ensure the date changed on the castore.pem
file. tail -f /var/log/vvold.log
If you see errors, update the vCenter Server TRUSTED_ROOTS store.
14. Disconnect and reconnect the ESXi host to the vCenter Server to resolve a mismatched SSL thumbprint in vCenter Server compared to the ESXi host.
15. Run tail -f /var/log/vvold.log
. to verify the error is no longer seen.
The expected output should be as below:[YYYY-MM-DDTHH:MM] info vvold[8355B70] [Originator@6876 sub=default] SI:GetVvolVontainer successful for DataStoreName, id= maxVVol=0 MB ...
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
For the custom, certificate-updated vCenter or ESXi host try the below steps:
Download the root certificate from the vCenter server and update the root certificate to the ESXi nodes.
Please follow the steps mentioned in the following KB to download the Root vCenter certificate and update the the same in ESXi host.
Refer: