VMware Cloud Community
Matt_B1
Enthusiast
Enthusiast

Site Recovery Manager (SRM) v6.0 fails to pair sites - certificate chain not verified

I have used the default self-signed certificates throughout the vCenter and SRM setup.  When going to pair the vCenters, I get "Server certificate chain not verified".  These are 2 new VCSA 6.0 VMs (embedded PSCs for each) and 2 new Windows 2012 R2 servers to run SRM 6.0.  I can view the Site in each respective vCenter but can't pair them.  Does anyone have suggestions?  We have tried valid SSL certs before on our original 6.0 deployment and continuously run into these certificate chain not valid errors.

Reply
0 Kudos
7 Replies
basher
VMware Employee
VMware Employee

Hello,

Is the vCenter installation a new one or is it an upgrade? What kind of certificates were used during vCenter deployment?

Stefan

Director - VMware Site Recovery Manager
Reply
0 Kudos
Matt_B1
Enthusiast
Enthusiast

Both are new VCSA 6.0 installs.  During the VCSA 6.0 install, I did not change, modify, or do anything with SSL certs.

Reply
0 Kudos
asenov
VMware Employee
VMware Employee

Try to run SRM installer in Modify mode, accept the PSC certificate thumbprint and finish the wizard. On both sites.

Regards,

Asen

Reply
0 Kudos
Matt_B1
Enthusiast
Enthusiast

SRM 6.0 is a brand new install after the vCenters were online.  I accepted the certificate when I entered the vCenter info.

Reply
0 Kudos
asenov
VMware Employee
VMware Employee

Have you provided the same PSC address in SRM installer and in Pairing wizard? Any chance that you have provided IP address in the installer and FQDN in wizard or vice versa?

Reply
0 Kudos
Matt_B1
Enthusiast
Enthusiast

Yes, I always used the FQDN.  This issue was actually the result of having an incorrect vCenter topology.  The error resulted in us spending hours with support all around valid or self-signed certs.  In the end, I had to completely redeploy new VCSA 6.0 appliances and follow the 3rd recommend topology.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=210854...

With this setup, it also links the vCenters and it seems to be much quicker than Linked Mode in previous versions.  I was able to pair the sites in SRM without issue.  FYI, I am using self-signed certs all around at the moment.  SRM is very finicky about trust with SSL certs so I won't try implementing valid SSL certs until I get some working failovers.

Reply
0 Kudos
asenov
VMware Employee
VMware Employee

Thank you for spending time and give us feedback! Have you and support guys been able to root-cause what the original problem was? I am asking because I have tested SRM in different topologies (with trusted and not trusted certs) and I have not seen such an error when correct addresses are used. And by the way a lot of certificate related restrictions from the previous versions are dropped in SRM 6.0 and now it is not so "finicky" Smiley Happy.

Thanks,

Asen

Reply
0 Kudos