Error: "x509: certificate signed by unknown authority." noticed when adding the array pair in SRM.
search cancel

Error: "x509: certificate signed by unknown authority." noticed when adding the array pair in SRM.

book

Article ID: 435770

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

Symptoms:

  • VMware Site Recovery Manager (SRM). Storage Replication Adapter (SRA). When attempting to configure storage replication, the Add Array Pair wizard fails with the following error:

    2026-03-25 16:31:14,524 [srm-reactive-thread-138146] WARN  com.vmware.dr.client.shared.taskMonitor.WsTaskProgressHandler  #########-####-####-####-############  - Task finished with error!
    (dr.storage.fault.CommandFailed) {
       faultCause = (dr.storage.fault.SimpleAdapterFault) {
          faultCause = null,
          faultMessage = null,
          description = Connection to storage system "Replication_Appliance_FQDN" failed. Error : x509: certificate signed by unknown authority.,
          fixHint = Make sure you have entered correct storage system details, port & storage system type and system is up and running. Please make sure valid certificate is available in the system.
       },
       faultMessage = null,
       commandName = discoverDevices
    }

  • This error persists even after applying a valid, CA-signed certificate to the storage array and successfully importing the corresponding Root CA into the SRM Appliance Management Interface (VAMI) trust store.

Environment

VMware Live Recovery 9.x

Cause

The Storage Replication Adapter (SRA) Docker container retains a stale storage array certificate within its isolated filesystem cache (/srm/sra/certs/).

This cached certificate prevents the SRA from fetching the updated array certificate and validating it against the appliance OS trust store during the TLS handshake.

Resolution

 

  1. Log in to the Site Recovery Manager (SRM) appliance as root via SSH.

  2. Identify the active SRA Docker container ID(s) by executing the following command:

    docker ps | grep -i sra

  3. Access the interactive shell of the identified SRA container:

    docker exec -it <CONTAINER_ID> /bin/sh

  4. Navigate to the SRA certificate cache directory:

    cd /srm/sra/certs

  5. Contact the storage system vendor to verify the currently cached certificate and remove any outdated certificate file. Once confirmed, delete the stale cached certificate files:

    rm *.pem

  6. Exit the container shell:

    exit

  7. Restart the SRM server service to force a fresh certificate retrieval during the next discovery attempt:

    systemctl restart srm-server

  8. Repeat steps 1 through 7 on the paired Site Recovery Manager appliance at the remote site.

  9. Log in to the vSphere Client, navigate to Site Recovery, and execute the Add Array Pair wizard.

 

Additional Information

SRA command discoverArrays failed

SRA Docker Container Certificate Caching

Powered by Wolken Software