I manually re-registered the VASA provider URL with vCenter so everything was FQDN. Our DNS entry for the array works fine for vCenter and the hosts, but still no PE is displayed on any of the hosts and they cannot write to the Vvol datastore, nor retrieve its size.
CA certs have been refreshed on all the hosts... even tried deleting rui.crt from the root store and breaking the vCenter trust, then re-adding one of the hosts and re-generating both the host and vvol service SSL, and still nothing.
/sbin/generate-certificates && /etc/init.d/hostd restart && /etc/init.d/vpxa restart
/etc/init.d/vvold ssl_reset
We then verified port 8443 works via netcat and is reachable off the array by curl 'ing the XML out of the VASA URL from vCenter SSH and verifying its contents are the same as when hit in the browser, to rule out any in-flight network corruption.
Vvol service is allowed to go out of ESXi firewall.
NTP sync is also tight between the hosts, vCenter and the array.
It's getting difficult to identify what is left to check, except for maybe seeing an old PSC we had to decommission (verified no longer a replication partner) still being listed in the output of openssl s_client -connect <array_IP>:8443