VRMS Reconfiguration Fails with "Failed to register VRMS " error after vCenter Certificate Change
search cancel

VRMS Reconfiguration Fails with "Failed to register VRMS " error after vCenter Certificate Change

book

Article ID: 433841

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

Symptoms: 

  •  vSphere Replication server fails to reconfigure post certificate renewal, Below error appears while reconfiguring vSphere Replication server.



    Note: To Reconfigure SRM follow below Steps,

    Login to VAMI page of SRM --> https://SRM-IP>:5480 -> Summary -> Reconfigure

Environment

VMware Live Site Recovery 9.x

Cause

vSphere Replication server and vCenter server establish a trusted connection using SSL certificates. If the vCenter certificate (e.g., via a custom CA-signed certificate or VMCA regeneration ) or vSphere Replication server certificates are replaced, VRMS will no longer trust vCenter unless that new certificate is explicitly trusted.

  • From the logs of /opt/vmware/support/logs/dr/drconfig.log, the events shows " The SSL certificate of STS service cannot be verified against the client-trusted thumbprint".

    service:E4E5BFF7###########9ABF####A436####### Client-Trust:##:18:##:##:##:###:##:##:##:FF:##:##:48:##:##:##:##:##:##:##:02:##:##:##:##:F9:##:##:##:##:##:##
    -- > com. vmware. vim. sso. client. impl.ssl. UntrustedsslCertificateException: The SSL certificate of STS service cannot be verified against the client-trusted thumbprint. STS-Service:#####E43###6E
    #######3661947AFC###### Client-Trust : ##:18:##:OD:##:###:##:B8:2F:FF:09:##:48:##:F8:##:##:83:36:##:02:###:##:AG:##:F9:##:20:48:##:B8:##: ## :##:A6:##:36:##:02:58:##: ##: C9:##:##:##:###: ##: ##:##
    at com. vmware. vim. sso. client. impl. ssl. StsSslTrustManager . validateServerIdentityWithThumbprint ( StsSslTrustManager . java: 220)
    at com. vmware. vim. sso. client. impl. ssl. StsSslTrustManager. checkServerTrusted(StsSslTrustManager . java: 123)
    at java.base/sun.security.ssl. AbstractTrustManagerWrapper . checkServerTrusted(Unknown Source)
    at java.base/sun. security.ssl. CertificateMessage$T12CertificateConsumer. checkServerCerts (Unknown Source)
    at java.base/sun. security.ssl. CertificateMessage$T12CertificateConsumer. onCertificate(Unknown Source)

  • SSL trust Mismatch error is found on vCenter server due to which vSphere Replication reconfiguration fails as its fails to trust vCenter server, The below report generated by running lsdoctor script.

    root@esxi01 [ /tmp/lsdoctor-250331 ]# python lsdoctor.py -l
    ATTENTION: You are running a reporting function. This doesn't make any changes to your environment.
    You can find the report and logs here: /var/log/vmware/lsdoctor
    202#-04-##T13:54:54 INFO main: You are reporting on problems found across the sso domain in the lookup service. This doesn't make changes.
    202#-04-##T13:54:54 INFO live_checkCerts: Checking services for trust mismatches ...
    202#-04-##T13:54:54 INFO generateReport: Listing lookup service problems found in SSO domain
    202#-04-##T13:54:54 ERROR generateReport: default-first-site\#######1. ##x. i##c.m##.###s. ##.my (VC 7.0 or CGW) found SSL Trust Mismatch: Please run python ls_doctor.py -- trustfix option on t
    202#-04-##T13:54:54 INFO generateReport: No issues detected in the lookup service entries for 1#.###.###.#6 (vSphere Replication).
    202#-04-##T13:54:54 INFO generateReport: Report generated:

Resolution

Run below steps:

  1. Pre-requisite: Capture a snapshot of the vCenter Server before applying any lsdoctor fixes.

    • vCenter in Linked Mode: Perform an offline snapshot for all vCenter instances.

    • Standalone vCenter: A standard online snapshot is sufficient.

    Refer KB : 313886

  2.  From vCenter command line move to lsdoctor directory and Run "python lsdoctor.py -t"

    Note : The command "python lsdoctor.py -t" when executed it restores trust relationship between vCenter and vSphere Replication/SRM.

  3.  It will prompt to "Enter administrator credentials" for vCenter server.

  4.  Restart all the vCenter services using command service-control--stop && service-control --start after step3 is executed.

  5.  Run python lsdoctor.py -l to validate if the errors are cleared. 

  6.  Reconfigure VRMS appliance again to complete reconfiguration. 

 

Additional Information

To Run lsdoctor Script for trust fix issues use article - 320837

From the article run -lscheck first this is to run health check on vcenter server,

  1. Run “python lsdoctor.py -l”
  2. Provide the password for your SSO administrator account
  3. Review output for issues found

Once the report/output is available based on the error run fixer using same article.

Powered by Wolken Software