VMware Site Recovery Manager pairing fails due to DNS configuration failure.
search cancel

VMware Site Recovery Manager pairing fails due to DNS configuration failure.

book

Article ID: 344730

calendar_today

Updated On:

Products

VMware Live Recovery VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Symptoms:
Pairing sites in VMware vCenter Site Recovery Manager fails without any error message on vSphere web client.
But you will see entries similar to the following error messages in the SRM log.

YYYY-MM-DD:TT:TT:20.413+09:00 [02592 warning 'DrSiteSiteManager'] SSL client handshake to 'vc.example.com:443' failed.
--> std::exception 'class Vmacore::Ssl::SSLVerifyException' "SSL Exception: Verification parameters:
--> PeerThumbprint: 75:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
--> ExpectedThumbprint: 
--> ExpectedPeerName: vc.example.com
--> The remote host certificate has these problems:
-->
--> * The host certificate chain is incomplete.
-->
--> * Host name does not match the subject name(s) in certificate.
-->
--> * unable to get local issuer certificate"



Environment

VMware vCenter Site Recovery Manager 6.0.x
VMware vCenter Site Recovery Manager 8.1.x
VMware vCenter Site Recovery Manager 8.x
VMware vSphere Management Assistant 5.5

Cause

This issue occurs when vCenter's address is incorrect. Please make sure that your configured vCenter will resolve via DNS to the expected IP address.

Resolution

1.Please make sure that your configured vCenter and PSC will resolve via DNS to the expected IP address.

2. openssl is connecting to vc2.example.com, but the certificate of vc1.example.com had been returned.
So you can see the error message "Host name does not match the subject name(s) in certificate" in vmware-dr.log

$ openssl s_client -connect vc2.example.com:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -text | grep DNS:
                DNS:vc1.example.com


Check the DNS records using nslookup command. 

$ nslookup vc2.example.com
Server:  ns.example.com
Address:  192.168.X.X

Name:    vc2.example.com
Address:  192.168.X.X --> Validate if the IP is for the vCenter vc2.example.com and this is not misconfigured 
NOTE - Run the nslookup against the IP address as well to check the both IP and FQDN valdiation


3. Also you can find the thumbprint of each certificates using openssl command.
The thumbprint of vc2.example.com should be 62:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:90, 
because of 75:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:3F is the thumbprint for vc1.example.com.

$ openssl s_client -connect vc2.example.com:443 < /dev/null 2> /dev/null | openssl x509 -noout -fingerprint -in /dev/stdin
SHA1 Fingerprint=75:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:3F

$ openssl s_client -connect 192.168.X.X:443 < /dev/null 2> /dev/null | openssl x509 -noout -fingerprint -in /dev/stdin
SHA1 Fingerprint=62:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:90


$ openssl s_client -connect 192.168.X.X:443 < /dev/null 2> /dev/null | openssl x509 -noout -fingerprint -in /dev/stdin
SHA1 Fingerprint=75:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:3F




Powered by Wolken Software