In our recent PowerMaxOS release I mentioned that we have a new VASA Provider, version 9.1. I noted our recommendation to upgrade to this release, particularly for the performance benefit related to snapshots; however, I failed to mention a VMware bug in ESXi 6.7 that can cause issues when deploying the new version. I was reminded of it yesterday while, oddly enough, helping a VMware team with registering the VP. So what’s the issue?
In VP 9.1, we’ve added a new button to the GATEKEEPERS screen labeled, VALIDATE ESXI. After adding the ESXi host, you are required to select this button and accept the certificate from the ESXi host. Unfortunately, unlike when registering the VP in the vCenter, you can’t ignore the certificate and just accept it (a la browser). (I did ask for that capability when I tested this, but it never made it into the VP. I hope it will be in the future, but back to our current issue.) So basically the validate must succeed. In the image below, after adding my ESXi host where the VP is currently running (step 1), I then hit the validate button (step 2), and receive the error (step 3) that the vApp cannot get the certificate.
Now as I wrote above, this issue only impacts vSphere 6.7 because VMware made a change to the /etc/vmware/rhttpproxy/config.xml file. Specifically they commented out the following line (77), which used to be un-commented before 6.7:
<!-- <keyStoreFile>/etc/vmware/ssl/castore.pem</keyStoreFile> -->
Commenting out this line, causes the error on validation. The fix, therefore, is to un-comment the line and reboot the ESXi host.
(For a similar issue, VMware indicates that you can restart the proxy service by running: /etc/init.d/rhttpproxy restart I don’t think I had any luck with that versus a reboot but it doesn’t hurt to try if you want to avoid the reboot.)
After the host comes back up, re-attempt validation and now you will get the certificate:
Select YES, and the certificate will be validated. At that point the ADD ARRAY button will un-gray and you can add the PowerMax.
When will the file be fixed? I don’t know to be honest. I’ve checked the two patch levels VMware says it is fixed in, U2 and U3, but it is still commented. Best recommendation I can provide is that as you can install the VP on any vCenter, if you have a 6.5 environment I would use that, otherwise the simple file change will take care of it, albeit with a host reboot. Hopefully in the next VP release we will add that ignore button and the issue will be moot, regardless of the vSphere version.