Site Recovery UI Error: 'The certificate of vCenter Server at <FQDN> expired on <date> <time>.

search cancel

Site Recovery UI Error: 'The certificate of vCenter Server at <FQDN> expired on <date> <time>.

book

Article ID: 394290

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

Symptoms

SSL Certificate Thumbprint Mismatch Error in Site Recovery Manager after vCenter Certificate replacement.
Reconnect is done and still below error is observed from vCenter DR.

Existence of expired machine SSL certificate inside Backup_store.

Verify and resolve expired vCenter Server certificates using command line interface As per the instruction in the KB executed below command in vCenter Server CLI

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

On vCenter DR

[*] Store : BACKUP_STORE
Alias : bkp___MACHINE_CERT
            Not After : Mar 10 12:00:18 2023 GMT
Alias : bkp_machine
            Not After : Mar  5 00:00:17 2031 GMT
Alias : bkp_vsphere-webclient
            Not After : Mar  5 00:00:17 2031 GMT
Alias : bkp_vpxd
            Not After : Mar  5 00:00:17 2031 GMT
Alias : bkp_vpxd-extension
            Not After : Mar  5 00:00:17 2031 GMT
Alias : bkp_hvc
            Not After : Mar  5 00:00:17 2031 GMT
Alias : bkp_wcp
            Not After : Apr 10 23:52:44 2031 GMT
Alias : __MACHINE_CERT
            Not After : Mar  6 06:51:48 2025 GMT

On vCenter DC

[*] Store : BACKUP_STORE
Alias : bkp___MACHINE_CERT
            Not After : Apr 15 15:56:56 2023 GMT
Alias : bkp_machine
            Not After : Apr 10 03:56:56 2031 GMT
Alias : bkp_vsphere-webclient
            Not After : Apr 10 03:56:56 2031 GMT
Alias : bkp_vpxd
            Not After : Apr 10 03:56:56 2031 GMT
Alias : bkp_vpxd-extension
            Not After : Apr 10 03:56:56 2031 GMT
Alias : bkp_hvc
            Not After : Apr 10 03:56:56 2031 GMT
Alias : bkp_wcp
            Not After : Apr 10 03:56:56 2031 GMT

Environment

VMware Site Recovery Manager 8.x

VMware vCenter Server 7.x

Cause

The presence of expired machine SSL certificates in the BACKUP_STORE is causing an error on the site recovery page, indicating that the certificate has expired on the vCenter DR.

Resolution

Note: Before proceeding further, take offline snapshot of vCenter Server in linked mode.

Identify the alias of the expired certificate by executing the below command:

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store BACKUP_STORE --text

Export the certificate as a backup copy.

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store BACKUP_STORE --alias <Alias Name> --output <output folder>

Example -

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store BACKUP_STORE --alias bkp___MACHINE_CERT --output /certificates/old_machine.crt

Delete the Expired certificate from VECS Store.

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store BACKUP_STORE --alias <Alias Name> -y

Example -

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store BACKUP_STORE --alias bkp___MACHINE_CERT -y

Restart vCenter Server Services

Error message will no longer be visible on site recovery page.

Additional Information

For more information, you can refer CertificateStatusAlarm - There are certificate that expired or about to expire/Certificate Status Change Alarm Triggered on VMware vCenter Server

Feedback

thumb_up Yes

thumb_down No