SRM/VR - Server certificate assertion not verified and thumbprint not matched
Article ID: 312754
Updated On:
Products
VMware Live Recovery
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- Unable to reconfigure SRM after upgrade.
- Unable to create a new site pair -
Error:
Failed to retrieve pairs from extension server at https://srm.vmware.local:443/drserver/vcdr/vmomi/sdk.Failed to connect to Site Recovery Manager Server at https://srm.vmware.local:443/drserver/vcdr/vmomi/sdk. Reason: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched Failed to connect to Site Recovery Manager Server at https://srm.vmware.local:443/drserver/vcdr/vmomi/sdk. Reason: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matchedOperation ID: e53a538a-bf3a-4612-b5fe-771aa92dc629- Unable to reconnect VR site pairs.
Error :Failed to connect to HBR Management Server at https://####:8043. Reason: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matchedServer certificate assertion not verified and thumbprint not matchedCertificate for <####> doesn't match common name of the certificate subject: ####Operation ID: d26e635b
- Aria operations complaining about SRM certificate assertion not verified and thumbprint not matched error.
Environment
VMware vSphere Replication 9.x
VMware vSphere Replication 8.x
Cause
- SRM or VR certificate is assigned to IP address or short name instead of FQDN
- DNS is not configured or incorrectly set for vCenter, SRM & VR appliances
This may also be caused during deployment of the OVF when the hostname is not changed as per the correct DNS record name.
Resolution
The below steps can be applied to both SRM & vSphere replication.
1. Ensure forward and reverse lookup records are created in DNS for the appliance. Verify it by running the nslookup command against the IP & FQDN
Photon Network Manager Commands to update Hostname/IP Address/DNS in SRM & vSphere replication (92586)
2. Change the SRM Appliance Certificate from VAMI to reflect FQDN
3. Reconfigure SRM & reconnect site pair
NOTE: We always recommend using a DNS server. In the absence of a DNS server, assign the appliance certificate to IP address and register it using IP address.
1. Ensure forward and reverse lookup records are created in DNS for the appliance. Verify it by running the nslookup command against the IP & FQDN
root@srm [ ~ ]# hostnamesrmroot@srm [ ~ ]# netmgr hostname --set --name srm.vmware.local root@srm [ ~ ]# netmgr hostname --getHostname: srm.vmware.localPhoton Network Manager Commands to update Hostname/IP Address/DNS in SRM & vSphere replication (92586)
2. Change the SRM Appliance Certificate from VAMI to reflect FQDN
3. Reconfigure SRM & reconnect site pair
NOTE: We always recommend using a DNS server. In the absence of a DNS server, assign the appliance certificate to IP address and register it using IP address.
If the above steps do not resolve the issue then try the following:
Note: It is mandatory to take a snapshot of vCenter, SRM, and VR appliances before making the below changes.
- Log in to the Site Recovery Manager Appliance Management Interface as admin.
- Click Summary, and click Reconfigure.
- On the Platform Services Controller page, enter the information about the site where you deployed the Site Recovery Manager Appliance.
- Edit the "PSC host name": Here please change the IP address of the vCenter server to FQDN on both SRM and VR and then complete the reconfiguration.
- Post making the above changes check whether the SRM plugin is launching via the Source vCenter server.
Feedback
Yes
No
Powered by
