Live Recovery site pairing failed with 'No client certificate; No SSL binding info for the client'
search cancel

Live Recovery site pairing failed with 'No client certificate; No SSL binding info for the client'

book

Article ID: 424561

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

Symptoms:

This error is observed when a CA certificate with only server authentication is used.

Reconnect failed with “A runtime error occurred in the vSphere Replication Management Server. Exception details: ‘VR Server error: No client certificate; No SSL binding info for the client.’”

In the log /var/log/vmware/hbr/hbrsrv.log:

2026-04-09T15:08:59.934Z verbose hbrsrv[02049] [Originator@6876 sub=SessionManager opID=Rby-oeTgwgq-HMS#G] Logging by SSL certificate
2026-04-09T15:08:59.934Z warning hbrsrv[02049] [Originator@6876 sub=Main opID=Rby-oeTgwgq-HMS#G] HbrError stack:
2026-04-09T15:08:59.934Z warning hbrsrv[02049] [Originator@6876 sub=Main opID=Rby-oeTgwgq-HMS#G]    [0] No client certificate
2026-04-09T15:08:59.934Z warning hbrsrv[02049] [Originator@6876 sub=Main opID=Rby-oeTgwgq-HMS#G]    [1] No SSL binding info for the client
2026-04-09T15:08:59.934Z warning hbrsrv[02049] [Originator@6876 sub=Main opID=Rby-oeTgwgq-HMS#G]    [2] Error converted to Vmomi fault hbr.replica.fault.NoClientCertificate
2026-04-09T15:09:06.974Z verbose hbrsrv[01991] [Originator@6876 sub=SessionManager] hbr.replica.ReplicationManager.setPrimaryHosts: not authorized

Environment

VMware Live Recovery 9.0.x

Cause

The error hbr.replica.fault.NoClientCertificate occurs because the vSphere Replication Management Service (HMS) uses the appliance certificate to authenticate with the HBR server. If the CA-signed certificate was issued without Client Authentication (1.3.6.1.5.5.7.3.2) in the Extended Key Usage (EKU), the HBR server rejects the connection as unauthorized.

Resolution

Generate the CSR and ensure that both ServerAuth and ClientAuth are included when signing the CA certificate to resolve the issue.

Additional Information

Verification of Extended Key Usage (EKU)

If vSphere Replication pairing fails after applying CA-signed certificates, verify that the required EKU fields are present using one of the following methods.

Method 1: Browser-Based Verification (Chrome/Edge)

  1. Navigate to the Appliance: Open your browser to https://<VLR-IP-or-FQDN>.
  2. Access Security Details:
    • Click the Padlock icon (or settings icon) in the address bar.
    • Select Connection is secure > Certificate is valid.
  3. Open Advanced Details: In the Certificate Viewer window, click the Details tab.
  4. Locate Extended Key Usage:
    • Scroll the field list to find Enhanced Key Usage (or Extended Key Usage).
    • Select the field to view its values in the summary box.
  5. Confirm Required OIDs: Ensure both of the following are listed:
    • Server Authentication (1.3.6.1.5.5.7.3.1)
    • Client Authentication (1.3.6.1.5.5.7.3.2)

[!IMPORTANT] If Client Authentication is missing, the certificate must be re-issued with both usages to resolve the hbr.replica.fault.NoClientCertificate error.

Method 2: Command Line Interface (CLI) Verification

To verify the certificate's EKU directly on the appliance or a Linux workstation:

Command:

 
openssl x509 -in /path/to/cert.pem -text -noout | grep -A 1 "Extended Key Usage"

Expected Output: The output must contain both of the following authentication types:

    • TLS Web Server Authentication
    • TLS Web Client Authentication
Powered by Wolken Software