vSphere Replication Appliance Reconfiguration Failed with 'Failed to Register H5UI' Due to Certificate Change

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms

While reconfiguring VR appliance it failed with an error "Failed to register H5UI"
The issue observed after certificate change in vSphere replication appliance
Validate drconfig.log and check for SSL thumbprint mismtach

Log path : less /opt/vmware/support/logs/dr/drconfig.log

2025-07-08 11:07:18.167 ERROR com.vmware.hms.net.impl.hbr.ConnectionHandlerImpl [hms-ping-scheduled-thread-4] (..impl.hbr.ConnectionHandlerImpl) [operationID=#####-###-4d2d-###-####-HMS-PING] | Failed to log in HBR at '##.#.###.##'
com.vmware.vim.binding.hbr.replica.fault.InvalidLogin: Invalid login; Unknown client SSL thumbprint mismatch ##:0B:##:##:C8:##:8E:##:##:A8:##:##:8A:##:A9:##:##:3F:##:##:02:45:##:B9:CB:##:##:##:##:##:##:##
at jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(Unknown Source) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Unknown Source) ~[?:?]
at java.lang.reflect.ReflectAccess.newInstance(Unknown Source) ~[?:?]
at jdk.internal.reflect.ReflectionFactory.newInstance(Unknown Source) ~[?:?]

Environment

VMware vSphere ESXi 8.x

VSphere Replication 9.x

Cause

The updated vSphere Replication certificate details were not reflected in the vCenter Server database, and sync was missing which results in a thumbprint mismatch between vCenter and the vSphere Replication appliance.

This error typically happens when the SSL certificate of the vSphere Replication (VR) appliance does not match the expected certificate on the vCenter server

The vCenter Server might not trust the SSL certificate of the VR appliance if it was either self-signed or signed by an untrusted certificate authority (CA)

Cause Validation

Validate hms.log and for SSL mismatch

2025-07-08 11:06:58.135 WARN com.vmware.hms.net.hbr.ping.svr.###-3b85-bdd3-###-#####[hms-ping-scheduled-thread-5] (..net.impl.VmomiPingConnectionHandler) [operationID=89f71##-###-###-ae32-####-HMS-PING] | Failed to reconnect to server 1##.##.##0.##:8123: (hbr.replica.fault.InvalidLogin) {
faultCause = null,
faultMessage = null
Caused by: com.vmware.vim.binding.hbr.replica.fault.InvalidLogin: Invalid login; Unknown client SSLthumbprint ##:0B:AF:BC:##:4F:##:##:CF:##:##:0F:8A:##:A9:36:##:3F:51:##:##:##:##:B9:##:##:##:##:##B4:51:79
Run lsdoctor using KB : 320837 and check for SSL Trust Mismatch

2025-07-08T11:35:00 INFO main: You are reporting on problems found across the SSO domain in the lookup service. This doesn't make changes.
2025-07-08T11:35:00 INFO live_checkCerts: Checking services for trust mismatches...
2025-07-08T11:35:00 INFO generateReport: Listing lookup service problems found in SSO domain
2025-07-08T11:35:00 ERROR generateReport: default-site\1##.9.###.##(VC 7.0 or CGW) found Duplicates Found: Ignore if this is the PSC HA VIP. Otherwise, you must unregister the extra endpoints.
2025-07-08T11:35:00 INFO generateReport: No issues detected in the lookup service entries for ####.#### (vSphere Replication).
2025-07-08T11:35:00 INFO generateReport: No issues detected in the lookup service entries for ##NO_HOSTNAME##.
2025-07-08T11:35:00 ERROR generateReport: default-site\1##2.#.##.### (UNKNOWN) found SSL Trust Mismatch: Please run python ls_doctor.py --trustfix option on this node.

Resolution

Take an offline snapshot of the VCenter if its in linked mode using instructions in KB : 313886
From VCenter cli move to lsdoctor using KB: 320837 directory and Run "python lsdoctor.py -t"
Enter administrator credentials
Restart all the Vcenter services using command service-control--stop && service-control --start
Run python lsdoctor.py -l to validate if the errors are cleared.
Reconfigure SRM appliance again and check if it gets successful.