Hi Micheal!

Thanks for your response.

There are two steps to what you want to do:

1. You need to join the AppVolumes instances together to have one primary instance and the others to be your secondary instances
   1. To do this, do I go to Infrastructure - Instances Tab and Add Target on the Primary site and add the secondary site?
   2. If so, it looks like it requires a Secure Address so I assume its the FQDN of the second instance and it should be secured with an SSL certificate?
2. You need to create a replication datastore that will be used between sites.
   1. Mark the replication DS as unattachable in all Appvolumes instances
      1. On the secondary instances, mark the Replication DS also Read-Only.
   2. Create Storage Groups in both locations:
      1. In the Primary site, group the replication DS with your AppVolumes DSs.
         1. In the Secondary site, group the replication DS with your AppVolumes DSs 
         2. I have this setup but it's not replicating and I believe it's because of Step 1 where the second site hasn't been added as a Target in the primary site Instances.

SSL Certificates

1. OK so it's best practice to replace them and I agree as well. Thanks for confirming.
2. I'm not sure what your asking me, but we use GoDaddy for our SSL certificates on some of our DC's, Horizon and Webservers. We don't have an internal CA setup.
3. Yes AppVolMgr is installed on a Windows Server joined to our domain. 
4. I believe that GoDaddy Trusted and Enterprise cert's are installed on Windows Servers by default. All I have done before is install the certificate in Certicates on the Local Server.

I've provided some screen shots for reference.

Thanks for helping me out!

Check the other two cert stores below and confirm they have GoDaddy cert assigned, to confirm.

Did you create a CSR from the AppVolMgr Server to submit to GoDaddy?

For the AppVolumes configuration: Review this TechZone article.

https://via.vmw.com/tchzmno3034

I did create the CSR on the APPV Windows server using CertUtil which was submitted to GoDaddy.

I have 2 GoDaddy cert's in Trusted Root/Certificates but no certificate in Enterprise Trust. The certificate chain is valid so I believe it's correct or it wouldn't show it was. It was in the screen capture I provided.

In regards to the setup for replication I want to confirm that all I need to do is add the Secondary site as a target on the Primary site under instances and add the Primary as a target on the Secondary site?

For the joining of the two sites, you just decide which is going to be your primary site (Source AppVolMgr). Then add your other sites to that Source Instance as Target Instances.

What format did you receive the certs in?

• PFX with imbedded Key

-OR-

• Cert and separate Key 

1. I create a SSL folder at the root of C-Drive
2. Copy my CRT and KEY there.
3. Copy the NGINX.conf file from the AppVolMgr location.
   1. Modify the Config file to point to my C:\SSL with the two cert files.
4. Copy the modified NGINX.conf file back to the AppVolMgr default location (I rename the current NGINX.conf to NGINX.conf.ORG).
5. If I did not recieve a PFX formated certificate, I then proceed to create one with this command.
   1. openssl pkcs12 -export -out "\\[SERVER]\WorkSpace\SSL_Certs\AppVolumes_INT_Cert\SSL_Cert\avm_MgmtServers.pfx" -inkey "\\[SERVER]\WorkSpace\SSL_Certs\AppVolumes_INT_Cert\avm_MgmtServers.key" -in "\\[SERVER]\WorkSpace\SSL_Certs\AppVolumes_INT_Cert\avm_mgmtServers.crt"

Hope this helps.

Thanks for the information in regards to joining them together. Now I need to solve the SSL issue.

The certificate came as a CRT and PEM. I installed and exported to a .PFX file. Then I used SSLopen tools to extract the certificate and key. When I did this, it's protected by password. I don't know where to add the password into the nginx.conf file.

Maybe I should install OepnSSL tools on AppvolMGR and follow this Obtain a CA-Signed Certificate Using a CSR (vmware.com) instead of using built in WIndows Certreq.

What are your thoughts?

The password is for protecting your key. you don't need it for any of the AppVolMgr cert configuration. It's just so no one can export the cert with key from your server.

Use that Open SSL command string I gave you that will create the pfx file that you can import into the server and then restart the service to see if you did everything right.

Hi Micheal!

Thanks for all the information. I really appreciate it!

I was able to get the certificates created and installed using the SSL Open tools and the proper command to create the CSR and KEY file. Using the default MS CertReq utility doesn't work without extra steps.

I'm having issues getting the storage groups to work. On the Primary site, it doesn't sync the packages between the DS with errors. I have a case opened up with support, but so far they haven't been able to resolve it.  

Cheers

I was able to get the certificates created and installed using the SSL Open tools and the proper command to create the CSR and KEY file. Using the default MS CertReq utility doesn't work without extra steps.

Thats why I use OpenSSL to create the proper cert formats I need. I use the OpenSSL scripts for AppVolumes and Horizon CS servers.

I'm having issues getting the storage groups to work. On the Primary site, it doesn't sync the packages between the DS with errors. I have a case opened up with support, but so far they haven't been able to resolve it.  

Please provide the SR# via a private message. I will review the SR and see what I can do to get you working.

I reviewed the SR yesterday and see they are requesting you update to a version that fixes this issue.

My suggestion is to follow their instructions and install the hotfix. 

Back a backup your DB and VMs just in case of a needed rollback.

Engineering will not let Support hand out hotfix if they have not thoroughly tested with clients that have already reported the issue and confirmed it worked for them, along with doing their own testing.

Hi Micheal!

I applied the update and it solved the issue with the local Storage group replication errors. Now that issue is resolved, but I get errors related to the certificate on the destination site for the site to site replication. I removed the config and re setup accepting the certificate and it still has the same errors. 

I uploaded the logs and a screen shot of the errors.

Cheers

I sent you a private message.

Good Day!

I finally got the replication setup with the help of @Micheal_A and Technical support.

This was a brand new installation of 2312 V4.3.0.57. When I setup a storage group, they would not replicate. After contacting support, they provided a patch since this was a known issue with this version.

Log error - undefined method `include?' for nil:NilClass

Now the storage group on the Primary site was replicating to the shared DS and I could see the packages in the secondary Site, but I could not get replication to work on the secondary site storage group. According to the logs, it was looking for a folder that didn't exist.

I caused the replication issue when I didn't use the default naming convention of the folders in the Primary and Secondary site. IMPORTANT Both sites APP V folders HAVE to be the same name for site to site replication to work. I suggest you leave both sites folder named default of "appvolumes" in your Configuration/Storage settings to avoid the issue I had.

Thanks to Mike and VMware Technical support for all their help resolving my issues.