Site Recovery Manager & vSphere Replication connectivity with vCenter breaks when Machine SSL certificate is replaced
If you replace the default Machine SSL certificate on the vCenter Server system or the Platform Services Controller, a connection error results if the solution attempts to connect to the vCenter Server or Platform Services Controller. The reason is that the vCenter Server system and the Platform Services Controller use the new certificate, but the corresponding service registrations with the VMware Lookup Service are not updated. When solutions connect to vCenter Server or Platform Services Controller, they look at the service registration, which includes the service URL and the sslTrust string. SSL Trust - Base 64 encoded Certificate which is configured for the Service, when two services communicate each other using the endpoints, it uses value of SSL Trust to confirm the authenticity of the connection
1. You replace the Machine SSL certificate on a vCenter Server with an Embedded Platform Services Controller
2. You replace the Machine SSL certificate on an external Platform Services Controller
3. You replace the Machine SSL when its about to expire
4. You find stale cs.identity’s in PSC left over from upgrades or older PSC versions
Validate sslTrust Anchors by using one of the KBs below depending on the version of vCenter in use.
The purpose of doing this is to determine the below problems -
Once you have understood the problems with vCenter certificates, run lsdoctor to list all issues.
Using the 'lsdoctor' Tool (80469)
Run lsdoctor -l
This option checks for common issues in the lookup service. Does not make any changes to the environment. This will show issues found on any node in the SSO domain. Depending on the issues detected by this output, you have to run lsdoctor stalefix & trustfix.
Power OFF & power ON the VR appliance from vCenter & reconfigure from VAMI to register with vCenter successfully. Also, reconfigure SRM to register with vCenter.
NOTE: Its mandatory to power ON a VR appliance from vCenter always as the OVF xml file retrieves vCenter binding information and other properties when its powered ON from vCenter as opposed to powering it ON from the ESXi host client. Moreover, this becomes imperative when vCenter certificate changes are made.
If you still have problems in registering vSphere Replication appliance with vCenter, check the logs below in VR to find out why registration is failing or log a case with SRM support team.
/var/log/vmware/dr/drconfig.log
/var/log/vmware/drconfigui/dr-config.log
/opt/vmware/hms/logs/hms-configtool.log
Node ID - This is the unique identifier of each vCenter Server deployment, this ID can be obtained by executing command "/usr/lib/vmware-vmafd/bin/vmafd-cli get-ldu --server-name localhost"
SSL Trust - Base 64 encoded Certificate which is configured for the Service, when two services communicate each other using the endpoints, it uses value of SSL Trust to confirm the authenticity of the connection
Process to view the List of Services Registered with Single Sign-On (2043509)
Verify and resolve expired vCenter Server certificates using command line (82332)
Determining expired SSL certificates in vCenter Server and ESXi 6.x and 7.0.x (2015600)
Manually reviewing certificates in VMware Endpoint Certificate Store for vSphere 6.x and 7.x (2111411)
Please take snapshots of SRM, VR & vCenter/PSC appliances as necessary before performing any actions mentioned in the resolution section. Refer to VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice (85662)