Symptoms:

• New deployments of VLSR are unable to utilize vSphere Replication to replicate VMs after upgrading/converging from an earlier version to vLR 9.04 
• ESXI hosts have CA Signed certificates which have a certificate chain
• Error seen on the DR UI for the replication status:

No connection to VR Server for virtual machine [VM] on host [Host] in cluster [Cluster] in Production: Unknown

• vSphere Live Recovery 9.0.4
• ESXI hosts 8.0u3 and above, utilizing CA-signed certificates with a chain

• ESXi uses chain certificate. When trusting the primary hosts, the whole chain certificate is added to hbr db.
• However, when trying to find a target host to use, only the leaf certificate is sent to match. As the certificates are not matched, hbrsrv broker service does not trust the primary host.
• VLSR appliance stores the full ESXi certificate chain but only verifies against the leaf certificate during replication, which causes a trust mismatch and connection failure.
• Error seen in /var/log/vmwarehbrsrv.log on the target vLR appliance:

2025-08-04T19:18:54.404Z error hbrsrv[1527800] [Originator@6876 sub=Main groupID=PING-GID-3d5a6b01-9151-4877-8fc9-c046ca17fb16 opID=hsl-0]    [0] Thumbprint and certificate is not allowed to send replication data

• This is a known issue effecting vSphere Replication 9.0.4
• The vLR appliance is also effected if it has a certificate with a chain

• This issue is fixed in vLR 9.0.5
• The upgrade to 9.0.5 can be performed immediately after the failures post upgrading to 9.0.4

vLR in-place upgrade from 9.0.4.x to 9.0.5 hangs