While this seems to be an old thread, I just wanted to say what my fix for this issue appears to be. Late last year, we upgrade the firmware on our FC SAN array, 3Par, and I had to remove and re-register the VASA provider. The 3Par is operating in a mode where it handles the certs and not vCenter. Apparently, something about the way it registered the cert with vCenter put an alias in the trusted root store that is invalid. It used the URL for the VASA provider as the alias, so the alias is 'https://ip_of_vasa:9997/vasa' as the alias and it apparently doesn't like the special characters. GSS walked through removing and unregistering the cert on the VCSA cli and it restarted without issue. I've got a ticket open with HPE currently on how to change the 3Par so it will use the vCenter generated cert instead of its own self-signed cert.
Ran this command to see the alias:
for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
and you can see the problem alias below:
STORE TRUSTED_ROOTS
Alias : eb34...
Not After : Jan 15 15:41:25 2030 GMT
Alias : e14...
Not After : Feb 9 15:02:55 2027 GMT
Alias : fca....
Not After : Sep 19 17:37:41 2027 GMT
Alias : https://IP_ADDR:9997/vasa
Not After : Sep 19 17:37:41 2027 GMT
