Symptoms
ESXi 6.7U3 (or later) host newly added to vCenter is unable to access vVOl datastore. The environment implements self-signed certificates.
Cause
From ESXi 6.7U3 release, the following host agent settings are available with the listed default values:
Key Default Description Config.HostAgent.ssl.keyStore.allowAny false Allow any certificates to be added to the host CA store. Disables CA Checks. Config.HostAgent.ssl.keyStore.allowSelfSigned false Allow self-signed certficates to be added to the host CA store. Config.HostAgent.ssl.keyStore.discardLeaf true Discard leaf certificates when adding to CA store. Leaf certificates in a CA store are generally a misconfiguration.
These settings will not impact existing self-signed certs in the trust store of a host. Hwoever, they will disallow any new self-signed certs from being added to a host’s trust store.An upgrade would hence not impact existing vVol datastores mounted on a host, a fresh installed host will however not be able to make a session with the VASA provider. vCenter will not be able to push self-signed certs to a host newly added to vCenter.
Resolution
In the case of:
ESXi 6.7 U3 hosts (or later build host) newly added to vCenterESXi hosts that are fresh installed with a 6.7 U3 or later releaseESXi hosts upgraded to a 6.7 U3 or later release, where vCenter/host certificates have been renewed or replaced
the listed hostAgent settings will need to be toggled from their default settings before vVol datastores can be accessed on such hosts, i.e.:Config.HostAgent.ssl.keyStore.allowAny -> trueConfig.HostAgent.ssl.keyStore.allowSelfSigned -> trueConfig.HostAgent.ssl.keyStore.discardLeaf -> false
