After installing or deploying VMware Live Recovery, the Protection Groups and Recovery Plan tabs do not appear in the vSphere Client interface. Repeated installations of the product do not resolve the issue.

When checking the vSphere Client GUI, the following error is displayed:

"Error downloading plug-in. Make sure that the URL is reachable and the registered thumbprint is correct. No issuer certificate for certificate in certification path found."

Additionally, the vsphere_client_virgo.log file on the vCenter Server contains errors indicating a plugin download failure and a TLS handshake alert:
[2026-02-26T15:26:38.700-06:00] [ERROR] sdk-plugin-deployer-40566 com.vmware.vise.plugin.extension.VcExtensionManager
Downloading plugin package: 'com.vmware.drui.plugin:9.0.5.0' registered in vCenter: 'vcenter.local (05fbfdde-5a08-4837-971e-###########) has failed.
java.util.concurrent.CompletionException: com.vmware.vise.plugin.download.PluginDownloadException: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
        at java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:273)
.....
Caused by: com.vmware.vise.plugin.download.PluginDownloadException: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
.....
Caused by: java.security.cert.CertificateException: Unable to construct a valid chain
Caused by: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.

VMware Live Recovery 9.0.5

This issue occurs because the vSphere Client is unable to download the VMware Live Recovery UI plugin due to an SSL certificate validation failure. There are two primary contributing factors:

1. Invalid Certificates: The certificates on the VMware Live Recovery appliances were generated using the hostname (shortname) instead of the Fully Qualified Domain Name (FQDN), leading to a certificate chain of trust error (certificate_unknown(46)).

2. Stale Extension Registrations: Legacy or stale plugin extension data is lingering in the vCenter Server's Managed Object Browser (MOB), preventing a clean plugin download.

To resolve this issue, you must update the appliance certificates, clear the stale vCenter registrations, and reconfigure the appliances on both sites.

Step 1: Replace Certificates Update the certificates on the VMware Live Recovery appliances for both the protected and recovery sites. Ensure the new certificates are generated using the FQDN rather than the shortname.

Step 2: Remove Stale Registrations from the vCenter MOB Perform these steps on the vCenter Servers at both sites:

1. Navigate to the vCenter MOB via a web browser: https://<vcenter_fqdn>/mob

2. Log in with an administrator account (e.g., [email protected]).

3. Click through the following path: Content > ExtensionManager.

4. Use the UnregisterExtension method to remove the following extensions:

   • com.vmware.vcDr

   • com.vmware.vcHms

   • com.vmware.drui.plugin

Step 3: Reconfigure VMware Live Recovery

1. Access the VMware Live Recovery Appliance Management interface on both sites.

2. Run through the configuration wizard again.

3. This will push a fresh registration to vCenter with the correct FQDNs and valid certificate thumbprints.

4. Log out and log back into the vSphere Client. The Protection Groups and Recovery Plan tabs should now be visible.

After completing the resolution steps, it may be necessary to restart the vSphere UI service (service-control --restart vsphere-ui) or clear your web browser's cache if the tabs still do not immediately appear.