VASA 5 is the latest version of the VMware vSphere Storage APIs for Array Integration (VASA). It provides enhanced capabilities for multi-VC environments, as well as deprecating the use of self-signed certificates by default. This new version also uses a per VC virtual host which always uses a CA signed certificate. This ensures that all communications between the vCenter and storage array are secure and authenticated.
 
Once VASA Provider is upgraded to VASA 5 (which enables multi VC capabilities by default), it could happen because VASA Provider is using self signed certificate for backward compatibility. In such case self signed certificate need to be pushed to ESXi to make it trusted to VASA provider. That would require additional configuration need to be enabled on ESXi.

User may see SyncError in the VASA Provider state in CLI at the ESXi below 8.0 U1 and vVOL datastore may not be accessible after upgrade to VASA 5.

Logs:

2023-02-27T16:59:54.286Z Wa(164) VVold[1000083476]: [Originator@6876 sub=HttpConnectionPool-000000 opID=lefd2qc2-39225-auto-u9m-h5:70012108-a5-72-8c79] Failed to get pooled connection; <cs p:000000c0a1a4c5e0, TCP:10.186.110.86:8443>, SSL(<io_obj p:0x000000c0a1a49c38, h:16, <TCP '10.168.184.57 : 54845'>, <TCP '10.186.110.86 : 8443'>>), duration: 11msec, N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception: Verification parameters:
2023-02-27T16:59:54.288Z Wa(164) VVold[1000083464]: --> PeerThumbprint: C1:F3:AC:64:06:0E:CA:43:0C:C0:D2:B4:5E:AF:84:6A:C8:61:80:DF
2023-02-27T16:59:54.288Z Wa(164) VVold[1000083464]: --> ExpectedThumbprint:
2023-02-27T16:59:54.288Z Wa(164) VVold[1000083464]: --> ExpectedPeerName: 10.186.110.86
2023-02-27T16:59:54.288Z Wa(164) VVold[1000083464]: --> The remote host certificate has these problems:
2023-02-27T16:59:54.288Z Wa(164) VVold[1000083464]: -->
2023-02-27T16:59:54.288Z Wa(164) VVold[1000083464]: --> * self-signed certificate)
2023-02-27T16:59:54.288Z Wa(164) VVold[1000083464]: -->

VASA Provider may use Self signed certificate for backward compatibility but earlier release of ESXi has restriction to use self signed certificate.

To resolve the issue, please upgrade to ESXi 8.0U1, where ESXi does not need Self Signed Certificate once on VASA 5.

The workaround is applicable when vCenter is upgraded to VASA 5 and there are host which does not support the VASA 5 (runs in backward compatibility mode) eg. all version below 8.0 U1.
 
To ensure trust of self-signed certificates, before upgrading to VASA 5.0 or re-registering, all hosts earlier than ESXi 8.0 U1 should change the setting of Config.HostAgent.ssl.keyStore.allowSelfSigned to True. It is by default set to False.  After this invoke Refresh CA Certificates on the host which is having VASA Provider accessibility issue.