When re-pairing two cloud sites in the vCloud Availability Provider Portal, the task fails with the below error:

"Certificate differs from the expected one."

In /opt/vmware/h4/cloud/log/cloud.log on the vCloud Availability vApp Replication Manager, you see the below entries:

DEBUG - [UI] [job-59] com.vmware.h4.jobengine.JobExecution     : Task ID (WorkflowInfo{type='pair', resourceType='site', resourceId='Provider-Site', isPrivate=false, resourceName='Service Provider Site'}) completed with result VcloudSiteInfo{apiPublicUrl='null', isLocal=false, state=PeerState{incomingCommError=null,

ERROR - [UI] [https-jsse-nio-8443-exec-10] c.v.h.c.c.error.ExceptionAdvisorBase     : A GET request from root[x.x.x.x] to /vm-replications/summary?sourceSiteType=vcloud&destinationSiteType=vcloud&site=Tenant-Site failed. 

com.vmware.exception.CertificateMismatchException: java.security.cert.CertificateException: Certificate seen on the network differs from the certificate we expected
    at com.vmware.exception.converter.ClientExceptionConverter.convertException(ClientExceptionConverter.java:50)

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

VMware vCloud Availability 4.5.

Each VMware Cloud Director Availability service uses a UNIQUE SSL certificate both for the HTTPS access to the service management interface and in the communication with other services. In the event of renewing or replacing the certificate of a VMware Cloud Director Availability service, we need to configure VMware Cloud Director Availability to trust the new certificate and re-pair the sites to re-establish the trust between the two sites.

NOTE: 

We can use a wildcard certificate ONLY for the Cloud Service. To keep the certificates unique, you must use self-signed certificates for the remaining VMware Cloud Director Availability services. Do not use the same wildcard certificate for more than one cloud site.

To resolve this issue, we first inspected the VMware vCloud Director Availability interface of both sites.

• Checked the type of the certificate in use whether it is CA-Signed or Self-Singed certificate.
• Checked if the certificate is valid and not expired.
• Found that the two cloud sites that need to be paired together are using SAME WILDCARD Certificate for all the vCloud Director Availability components which is NOT supported by design.
• We can use a wildcard certificate only for the CLOUD SERVICE. We must use self-signed certificates for the remaining VMware Cloud Director Availability services for e.g: Manager, Tunnel and the Replicator.
• We imported unique certificate for vCloud Director Availability and then were able to pair them without any issues.

NOTE: Each VMware Cloud Director Availability service must have a UNIQUE certificate which is different from other services certificates.

For more details on replacing the services certificates in the Cloud Director site, please see: Replacing the services certificates in the Cloud Director site