Error: SRM and vSphere Replication disconnected from vCenter after SSL certificate change - VMware Live Recovery
Article ID: 412383
Updated On:
Products
Issue/Introduction
The following errors occur after replacing or rotating the vCenter Server Machine SSL certificate:
- In the vCenter UI:
com.vmware.vim.vmomi.core.exception.CertificateValidationException. Server certificate chain is not trusted and thumbprint verification is not configured. - Error string in Site Recovery UI:
The remote host certificate has these problems: * unable to get local issuer certificates - When establishing site pairs:
Unable to retrieve pairs from extension server at https://####:8043. Unable to login to 'HBR Management Server at https://####:8043' - Logs in
/opt/vmware/support/logs/dr-client/dr.log:javax.net.ssl.SSLException: Certificate thumbprint mismatch.
- In the vCenter UI:
- The below error will be seen in the Site Recovery UI:
- In the Site Recovery UI, the following error is displayed when attempting to establish a site pair:
"Unable to retrieve pairs from extension server at https://hostname:8043. Unable to login to 'HBR Management Server at https://hostname:8043'"
- For VMware Live Recovery Appliance 9.0.3 and above below error is reflected in vCenter UI
a
Environment
- VMware Live Site Recovery 9.x
- VMware Site Recovery Manager 8.x
- vSphere Replication 8.x / 9.x
Cause
- This issue occurs when the Machine SSL certificate is replaced or rotated on the vCenter Server. SRM and vSphere Replication maintain local trust stores with specific vCenter certificate thumbprints. When the vCenter certificate changes, the stored thumbprints become stale, causing SSL handshake failures during mutual authentication
(from /opt/vmware/support/logs/dr-client/dr.log) in vSphere Replication appliance (or from Vmware Live Site Recovery):
2026-04-21 09:48:56, 622 [srm-reactive-thread-24966] WARN com. vmware.srm.client. infrastructure.http. BaseAsyncController aa88f6ec-9128-4cb1-a703-a35c876ee9 - Request for path 'webssologin' failed.com.vmware.srm.client.topology.impl.vmomi.TokenProvider$AuthenticationTokenNotAvailable: No authentication token available for SSO Server at 'https://<vcenter-FQDN>/sts/STSService/vsphere.localat com. vmware. srm. client. topology. impl.core.mxn. nodes. TokenProvider Impl. lambda$getToken$1 (TokenProviderImpl. java:56)at com. vmware. dr.ui. tools. reactive. impl. Promise Impl$ApplyCompletion. complete (PromiseImpl. java: 239)at com. vmware.dr.ui. tools. reactive. impl. PromiseImpl$Result. complete (PromiseImpl. java: 41)Suppressed: com. vmware. vim. vmomi. client. exception. SslException: Unable to connect to SSO Management Server at https://<vcenter-FQDN>/o-adminserver/sdk/vsphere. local. Reason: javax.net.ssl. SSLException: Certificate thumbprint mismatch.at com. vmware. vim. vmomi. client. common. impl. ResponseImpl. setError (ResponseImpl. java: 265)Caused by: javax.net.ssl. SSLException: Certificate thumbprint mismatch.at com. vmware. srm.client.topology. impl. vmomi. ssl. DynamicVerifier. onSuccess (DynamicVerifier. java: 80)at com. vmware. vim. vmomi. client.http. impl. HttpConfigurationCompilerBase$1.onSuccess (HttpConfigurationCompilerBase. java: 224)
Resolution
Follow these steps to reconfigure the appliances and restore the trust relationship:
- Reconfigure vSphere Replication:
- Log in to the vSphere Replication VAMI (
https://<VR-Appliance-IP>:5480). - Complete the reconfiguration wizard to accept the new vCenter thumbprints: .
- Log in to the vSphere Replication VAMI (
- Reconfigure Site Recovery Manager:
- Log in to the SRM VAMI (
https://<SRM-Appliance-IP>:5480). - Navigate to Summary and select Reconfigure: .
- Log in to the SRM VAMI (
- Reconnect Site Pair:
- Access the vSphere Client and navigate to Site Recovery > Site Pairs.
- Select the affected pair and click Reconnect to synchronize the new certificates across sites: .
To speak with a customer representative or a Support Engineer, see . Scroll to the bottom of the page and click on your respective region.
Additional Information
Feedback
