Replication failures after cloud replicator certificate replacement in VMware Cloud Director Availability
search cancel

Replication failures after cloud replicator certificate replacement in VMware Cloud Director Availability

book

Article ID: 403185

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

In VMware Cloud Director Availability, replication failures may occur after replacing the certificate on the Cloud Replicator appliance. While some replications (e.g., cloud-to-cloud or a subset of site-to-cloud) continue to work normally, others may show degraded health with symptoms such as:

  • RPO violations

  • Synchronization timeouts

  • Tasks getting stuck at specific progress percentages (e.g., 20% or 28%)

Environment

VMware Cloud Director Availability 4.x

Cause

The issue is caused by incomplete or stale communication between VCDA components following a certificate replacement on the Cloud Replicator. Although the certificate may have been successfully regenerated and accepted in the VCDA Manager, endpoint connections and trust relationships may not fully refresh automatically, leading to replication inconsistencies.

Resolution

To resolve the issue:

Manually refresh all lookup and endpoint connections between the involved VCDA components (replicators, managers and tunnels).

To proceed:

To e-establish the trust for vCenter server (Replication management):

  1. Log in to the Replication Management Portal with root user credentials.
  2. In the left pane, click Configuration.
  3. Go to Service endpoints > Lookup Service Address and click Edit.
  4. In the pop-up window, enter the Lookup Service address and click Apply.
  5. Re-pair the local replicator with the manager to re-authenticate with new changes.

To re-establish the trust for tunnel:

  1. Log in to the VCDA Provider UI
    → URL: https://<VCDA-Manager-FQDN>/provider

  2. Navigate to Configuration > Service Endpoints.

  3. Under Tunnel, click Edit (pencil icon).

  4. Update the Tunnel Public Address to match the correct FQDN or IP that on-prem tenants can reach.

    1. Example: https://vcda-tunnel.cloudprovider.com:8048

  5. Click Save.

 

 

Additional Information

  • The issue is not related to SSL inspection or a fundamental configuration error.

  • Some replications may appear as “Healthy” in status but still violate RPO targets until trust is fully re-established.

  • Always ensure to verify connectivity across all endpoints after certificate updates in VCDA environments.

Powered by Wolken Software