ESXi 6.7 U3 or later host newly added to vCenter is unable to access vVOl datastore
search cancel

ESXi 6.7 U3 or later host newly added to vCenter is unable to access vVOl datastore

book

Article ID: 318746

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:

ESXi 6.7U3 (or later) host newly added to vCenter is unable to access vVOl datastore. 

The environment implements self-signed certificates.

Environment

VMware vSphere ESXi 7.0.x
VMware vSphere ESXi 8.0
VMware vSphere ESXi 6.7

Cause

From ESXi 6.7U3 release, the following host agent settings are available with the listed default values:
Key Default Description
 Config.HostAgent.ssl.keyStore.allowAny false  Allow any certificates to be added to the host CA store.   Disables CA Checks.
 Config.HostAgent.ssl.keyStore.allowSelfSigned  false Allow self-signed certficates to be added to the host CA store.
 Config.HostAgent.ssl.keyStore.discardLeaf true Discard leaf certificates when adding to CA store. Leaf   certificates in a CA store are generally a misconfiguration.


These settings will not impact existing self-signed certs in the trust store of a host. Hwoever, they will disallow any new self-signed certs from being added to a host’s trust store.

An upgrade would hence not impact existing vVol datastores mounted on a host, a fresh installed host will however not be able to make a session with the VASA provider. vCenter will not be able to push self-signed certs to a host newly added to vCenter.

Resolution

In the case of:
  • ESXi 6.7 U3 hosts (or later build host) newly added to vCenter
  • ESXi hosts that are fresh installed with a 6.7 U3 or later release
  • ESXi hosts upgraded to a 6.7 U3 or later release, where vCenter/host certificates have been renewed or replaced  
the listed hostAgent settings will need to be toggled from their default settings before vVol datastores can be accessed on such hosts, i.e.:

Config.HostAgent.ssl.keyStore.allowAny             -> true
Config.HostAgent.ssl.keyStore.allowSelfSigned  ->  true
Config.HostAgent.ssl.keyStore.discardLeaf         -> false