VMware Cloud Director Availability (VCDA) replication fails with connectivity errors between the local replicator and the VCDA Manager. Logs indicate that the Manager does not recognize the certificate presented by the replicator, leading to an unauthorized request and a terminated SSL handshake.

Symptoms include:

• Replicator status appearing as offline or "unrecognized peer".

• BadCredentialsException: Unrecognized client certificate in the Manager logs.

• GenericSSLException: Remote host terminated the handshake.

Log entries in /opt/vmware/h4/manager/log show as below:

ERROR - [##########-#####-#########-#############-##] [https-jsse-nio-8044-exec-5] c.v.h4.common.config.SecurityConfig      : An unauthorized GET request from #.#.#.# port ##### to /diagnostics/rtr-health failed.

org.springframework.security.authentication.BadCredentialsException: Unrecognized client certificate

Remote host terminated the connection: WARN - [UI-##########-#####-#########-#############-##] [job-41] c.v.h.m.r.ReplicatorHealthChecker: Connectivity issue for replicator: ##########-#####-#########-#############

com.vmware.exception.GenericSSLException: Remote host terminated the handshake

VMware Cloud Director Availability 4.7.3

The VCDA Manager is unable to validate the self-signed certificate presented by the Replicator (replicator.vm), causing authentication to fail during the SSL handshake.

To resolve the issue, we recommend the following steps:

1. Regenerate Self-Signed Certificates

Regenerate the self-signed certificates for all components of the VCDA cloud site, including both the VCDA Manager and the Replicator. This will ensure that the certificates are properly validated and trusted by all components in the environment.

2. The Manager maintains a registration of all local replicators. When a certificate changes, this registration must be updated to trust the new SSL thumbprint.

1. Open a web browser and navigate to the VCDA Manager Service Management Portal (typically https://<Manager-IP>:8441/ui/admin).

2. Log in as the root user.

3. In the left pane, navigate to Configuration.

4. Locate the section for Replicator Services (or Local Replicator Services).

5. Select the specific Replicator instance that is showing a connectivity error.

6. Click Repair.

7. In the pop-up window:

   • Verify the Replicator address.

   • Enter the Replicator root password.

   • Enter the SSO credentials if prompted (required for lookup service re-registration).

8. Click Apply.

9. Trust the Certificate: You will be prompted to verify and accept the new SSL thumbprint. Click Accept to finalize the trust.

3. Verify System Health

After repairing the registration, confirm the components are communicating correctly.

1. In the same Manager UI, go to System Monitoring or Dashboard.

2. Locate the Local Replicator Services status section.

3. Verify that Service connectivity now displays a green checkmark or "Online" status.

4. Check the manager.log for the disappearance of the BadCredentialsException or Unrecognized peer certificate errors.

4. (Optional) Refresh Remote Pairing

If this Cloud site is paired with another site (Cloud-to-Cloud), the updated local certificate may need to be pushed to the remote peer.

1. In the Provider Portal, go to Configuration > Peer Sites.

2. Select the paired remote site and click Repair.

3. Click Update to refresh the connection and accept certificates if prompted.