Error: "Certificate Differs from the expected one" when trying to Replicate VMs in VMware Cloud Director Availability 4.x
search cancel

Error: "Certificate Differs from the expected one" when trying to Replicate VMs in VMware Cloud Director Availability 4.x

book

Article ID: 370266

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • When re-pairing two cloud sites in the VMware Cloud Director Availability (VCDA) Provider Portal, the task fails with the below error:

    "Certificate differs from the expected one"

  • Unable to pair the On-premise VMware Cloud Director Availability with Cloud VMware Cloud Director Availability instance with error

    "The Manager Service '##########################'  was not found."

  • In /opt/vmware/h4/cloud/log/cloud.log on the VMware Cloud Availability Replication Manager, you see the below entries:

    DEBUG - [UI] [job-59] com. vmware.h4.jobengine. JobExecutionresourceName='Service Provider Site'}) completed with result VcloudSiteInfo{apiPublicUrl='null', isLocal=false, state=PeerState{ incomingCommError=null,
     

    ERROR - [UI] [https-jsse-nio-8443-exec-10] c.v.h.c.c.error. ExceptionAdvisorBasesourceSiteType=vcloud&destinationSiteType=vcloud&site=Tenant-Site failed.
    com.vmware.exception.CertificateMismatchException: java.security.cert.CertificateException: Certificate seen on the network differs from the certificate we expected 
    at com. vmware.exception. converter. ClientExceptionConverter.convertException(ClientExceptionConverter. java:50)

  • After changing the certificates in VCDA, the replication of the VMs is not working between the two sites. 
  • Experiencing replication issues between on-prem environment and cloud site.
  • When creating a new outgoing replication an error is displayed stating:

    "Unable to find suitable Replicator Service from site '<SiteName>'"

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware Cloud Director Availability 4.x

Cause

Each VMware Cloud Director Availability service uses a UNIQUE SSL certificate both for the HTTPS access to the service management interface and in the communication with other services. In the event of renewing or replacing the certificate of a VMware Cloud Director Availability service, we need to configure VMware Cloud Director Availability to trust the new certificate and re-pair the sites to re-establish the trust between the two sites.

NOTE: 

We can use a wildcard certificate ONLY for the Cloud Service. To keep the certificates unique, you must use self-signed certificates for the remaining VMware Cloud Director Availability services. Do not use the same wildcard certificate for more than one cloud site.

Resolution

To resolve this issue, Inspect the VMware Cloud Director Availability interface of both sites.

  • Checked the type of the certificate in use whether it is CA-Signed or Self-Signed certificate.
  • Checked if the certificate is valid and not expired.
  • Verify two cloud sites that need to be paired together are NOT using SAME WILDCARD Certificate for all the VMware Cloud Director Availability components.
  • We can use a wildcard certificate only for the CLOUD SERVICE. We must use unique self-signed / CA certificates for the remaining VMware Cloud Director Availability services e.g: Manager, Tunnel and the Replicator.
  • Repair the the two cloud sites.

NOTE: Each VMware Cloud Director Availability service must have a UNIQUE certificate which is different from other services certificates.

 

Additional Information

For more details on replacing the services certificates in the Cloud Director site, please see: Replacing the services certificates in the Cloud Director site

Powered by Wolken Software