Enhanced replication mapping test fails with the error "Thumbprint and certificate is not allowed to send replication data"
Article ID: 422488
Updated On:
Products
Issue/Introduction
Symptoms:
-
When performing an Enhanced Replication Mapping test, the operation fails with the following error:
"Fault occurred while performing health check. Details: 'FindServer: Failed Thumbprint and certificate is not allowed to send replication. thumbprint: 86:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:## -
Expanding the test details reveals that the failure is isolated to connections originating from one specific ESXi host, all other host connections remain functional.
-
This issue is typically observed after certificates have been recently replaced or renewed on the affected ESXi host.
To confirm if a certificate has been renewed, navigate to: Host > Configure > System > Certificate
Environment
vSphere Replication 9.x
Cause
Although the ESXi host certificate and the hbrsrv database on the vSphere Replication appliances were successfully updated with the new thumbprint following a certificate renewal, the ESXi hbr-agent process continued to use the old thumbprint for replication traffic.
This created a thumbprint mismatch between the active agent and the host configuration, resulting in the error, "Thumbprint and certificate is not allowed to send replication data."
Cause Validation:
To confirm this mismatch, review the /var/run/log/hbr-agent.log located on the affected ESXi host. The log entries will show the host attempting to transmit replication data using the old thumbprint rather than the newly updated one.
2025-12-14T13:08:26.784Z In(166) hbr-agent-bin[168252848]: [0x000000404fe21700] error: [Proxy [Group: PING-GID-e4cc67bc-xxxx-xxxx-xxxx-xxxxxxxxxxxx] -> [172.#.#.#: 32032]] [16b65f97-xxxx-xxxx-xxxx-xxxxxxxxxxxx] The find server request failed: (1) Failed2025-12-14T13:08:26.784Z In(166) hbr-agent-bin[168252848]: [0x000000404fe21700] error: [Proxy [Group: PING-GID-e4cc67bc-xxxx-xxxx-xxxx-xxxxxxxxxxxx] -> [172.#.#.#: 32032]] [16b65f97-] Failed find server request additional error info: Thumbprint and certificate is not allowed to send replication dataxxxx-xxxx-xxxx-xxxxxxxxxxxx2025-12-14T13:08:26.784Z In(166) [+] hbr-agent-bin[168252848]: thumbprint: 86:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
To confirm that the hbr-agent is using a stale thumbprint compared to the actual host certificate, run the below command on the affected ESXi host and retrieve the new thumbprint
openssl s_client -connect <Host FQDN/IP Address>:443 | openssl x509 -noout -fingerprint -sha256depth=1 CN = CA, DC = vsphere, DC = local, C = US, 0 = XXXXXverify return:1depth=0 C = US, ST = California, L = Palo Alto, O = VMware, OU = VMware Engineering, CN = XXXXXXXXXXXXXX, emailAddress = xxxxxxxverify return:1sha256 Fingerprint=82:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
To confirm that the vSphere Replication Appliance has successfully registered the new certificate, compare the database records with the host's actual certificate. Run the below commands on the VR appliance to view the entries in the hbrsrv database.
cd /etc/vmwaresqlite3 hbrsrv.#.db -----> Open the latest .db fileselect * from HostInfo;
Sample output:host-32###||10.#.#.#, fxxx::xxxx:xxxx:xxxx:xxxx|-| 82:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:## | 0
Resolution
To resolve the thumbprint mismatch, restart the hbr-agent and hbrsrv services on the affected ESXi host using the below steps:
-
Log in to the vSphere Client and select the target ESXi host.
-
Navigate to Configure > System > Services.
-
Locate and restart the following services:
-
Select hbrsrv and click Restart.
-
Select hbr-agent and click Restart.
Ensure the status for both services returns to Running.
-
-
Navigate back to your replication mappings and re-run the enhanced replication tests.
Feedback
