VMware vCenter Site Recovery Manager fails to connect to vCenter Server or Platform Service Controller
search cancel

VMware vCenter Site Recovery Manager fails to connect to vCenter Server or Platform Service Controller

book

Article ID: 312672

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

Symptoms:


When VMware vCenter Site Recovery Manager attempts to connect to vCenter Server and the associated Platform Services Controller(s) on which you have updated the certificates, you experience these symptoms:

  • Site Recovery Manager is unable to connect to the vCenter Server or the PSC.

  • You see this error:

    SRM server with GUID GUID of vCenter not paired.
    Failed to connect to vCenter Server at vCenter_FQDN:443/sdk. Reason:
    com.vmware.vim.vmomi.core.exception CertificateValidationException: Server certificate chain not verified.


Cause


After replacing the SSL certificate of the virtual machine on vCenter Server or the Platform Services Controller, a connection error occurs if SRM attempts to connect to the vCenter Server or Platform Services Controller. This is because the vCenter Server system and the Platform Services Controller use the new certificate, but the corresponding service registrations with the VMware Lookup Service are not updated. When SRM connects to vCenter Server or Platform Services Controller, it looks at the service registration, which includes the service URL and the sslTrust string. By default, the sslTrust string is the Base 64 encoded old certificate even if you replaced the certificate successfully in vCenter Server and the PSC.

Resolution


To resolve this issue:

The lsdoctor tool automates all the steps below.   Please check out this kb. Ensure to poweroff and snapshot all nodes before running the tool. 

https://kb.vmware.com/s/article/80469

Run the --trustfix option to update the endpoints on the PSC to resolve the issue.   If you need us to join a call to assist let us know. 

Then run a modify install in SRM. 

For SRM appliance Login to VAMI page and click reconfigure. 

After this reconfigure pairing between sites. 

https://docs.vmware.com/en/Site-Recovery-Manager/8.4/com.vmware.srm.install_config.doc/GUID-697BC102-FD91-412E-B33A-4EBE43A8A853.html



Alternatively to resolve this issue:

  1. Ensure that clocks on both sites are synchronized to a common time reference. The Platform Services Controller (PSC), VMware vCenter Server (vC), and VMware vCenter Site Recovery Manager (SRM) on one site should have the same GMT time as the PSC, vC, and SRM on the other site. The two sites, of course, can be in different time zones as long as the GMT time of the two sites is synchronized correctly. Failure to ensure clock synchronicity may cause unpredictable errors.
     
  2. On one site, update the SSL trust anchors on vCenter Server and Platform Services Controller. For more information see vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with a External Platform Services Controller (2121701) and vCenter Server certificate validation error for external solutions in environments with Embedded Platform Services Controller (2121689)
     
  3. If the new PSC or vC certificates are custom certificates, you have the option of putting the root certificates for these custom certificates into the local SRM machine’s certificate trust store and the remote SRM machine'e certificate trust store. This involves first, downloading the the root certificates, and second, installing the root certificates in the SRM server:
     
    1. Download the root certificates from VMware vCenter Server. For more information, see How to download and install vCenter Server root certificates to avoid Web Browser certificate warnings (2108294).
       
    2. Import the root certificates into the local (and remote) SRM servers' trusted root store:
       
      1. Open Certificate Manager.
      2. In a Run dialog box type:

        certmgr.msc
      3. Click OK.
      4. Navigate to Trusted Root Certification Authorities > Certificates.
      5. Right-click Certificates and click All Tasks > Import...
      6. Navigate to the location of the Root64.cer from the Obtaining the certificate section.
      7. Select the Trusted Root Certification Authorities certificate store.
      8. Click Next.
      9. Click Finish.
      10. Repeat steps 1 through 8 to add the certificate to the Trusted Publishers store, selecting Trusted Publishers store in step 6.

        Note: For more information, see the Implement The Certificates section in Creating certificate requests, certificates and implementing certificates for the vSphere Authentication Proxy (2105034).
         
  4. Run the Modify Workflow of the SRM installer on the SRM host of the local site to remove/replace the old, incorrect PSC and vCenter Server thumbprints stored in the SRM database.

  5. Run steps 1 through 4 on the second site if you want to update the PSC or vC certificates on the remote site as well.
     
  6. Start the Web (NGC) Client and ensure that there are no errors.

  7. If errors persist, restart the vSphere Web Client service on vCenter Server. Use the commands provided in Stopping, starting, or restarting VMware vCenter Server 6.0 services (2109881).
     
  8. If the two SRM instances are paired, re-pair them.



Additional Information

Creating certificate requests, certificates and implementing certificates for the vSphere Authentication Proxy
How to download and install vCenter Server root certificates to avoid Web Browser certificate warnings
vCenter Server certificate validation error for external solutions in environments with Embedded Platform Services Controller
vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with a External Platform Services Controller
Resolution for Entries similar to: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified