vSphere Replication Server and VMware Live Recovery(SRM) sites are disconnected post vCenter certificate change.
search cancel

vSphere Replication Server and VMware Live Recovery(SRM) sites are disconnected post vCenter certificate change.

book

Article ID: 404932

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

Symptoms: 

The local vSphere Replication Server and VMware Live Recovery display as 'Not Connected,' while the target SRM site shows the status as 'Unknown'.

Error: 'Unable to connect to Lookup Service at https://vcentername:443/lookupservice/sdk. Reason: javax.net.ssl.SSLException: Certificate thumbprint mismatch

Environment

VMware vSphere Replication 9.X

VMware Live Recovery 9.X 

Cause

The vSphere Replication Server and VMware Live Recovery maintains a database table that stores the vCenter certificate thumbprint.

If the SSL certificates on the vCenter machine are changed, the site status show as 'Not Connected' or 'Unknown' because the vCenter will no longer issue a valid STS token to the services due to a thumbprint mismatch.

Cause Validation 

Validate dr.log from vSphere replication and check for thumbprint mismatch error. 

Log path :  /opt/vmware/support/logs/dr-client/dr.log 

Info - Peer HMS site info error!
com.vmware.srm.client.topology.client.view.availability.PairSetup$PairSetupException: Unable to connect to Lookup Service at https://###.##.com:443/lookupservice/sdk. Reason: javax.net.ssl.SSLException: Certificate thumbprint mismatch.
        at com.vmware.srm.client.topology.impl.view.availability.PairSetupImpl.lambda$complete$3(PairSetupImpl.java:136)
        at com.vmware.dr.ui.tools.reactive.impl.PromiseImpl$ErrorCompletion.complete(PromiseImpl.java:172)
        at com.vmware.dr.ui.tools.reactive.impl.PromiseImpl$Completion.lambda$setResult$1(PromiseImpl.java:63)
        at com.vmware.dr.ui.tools.utilities.AsyncConsumer$Worker.run(AsyncConsumer.java:38)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.base/java.lang.Thread.run(Unknown Source)
Caused by: com.vmware.vim.vmomi.client.exception.SslException: Unable to connect to Lookup Service at https://######:443/lookupservice/sdk. Reason: javax.net.ssl.SSLException: Certificate thumbprint mismatch.
        
 

Resolution

To validate the certificate thumbprint, run the following command on the vCenter Server to retrieve the current certificate thumbprint and compare it with the one shown on the VAMI page of the vSphere Replication Server and VMware Live Recovery :

echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -fingerprint -sha256

The thumbprints are expected to differ if the vCenter SSL certificate was recently changed.

To resolve this, reconfigure the vSphere Replication Server Reconfigure General vSphere Replication Settings and VMware Live Recovery from their respective VAMI interfaces. This action will update the stored certificate thumbprint in their internal databases.

Once the reconfiguration is complete, reconnect the sites to accept the updated vCenter certificate thumbprint. This will restore the connection status of vSphere Replication Server and SRM to "Connected."

Powered by Wolken Software