Site Recovery Manager fails to start the service with the error message “The host certificate chain is incomplete”

Whenever you think you understand a product to a certain extent the product proves you wrong. So I was in a similar situation where a customer reported that SRM service was failing to start at the recovery site. As my regular practice which I always do, went through the DR logs to validate the error backtrace. I managed to find a interesting backtrace.

Those who still do not like to memorize the path, you can find it below.

C:\ProgramData\VMware\VMware vCenter Site Recovery Manager\Logs\VMware-dr.log.

 VMware-dr.log

[11644 verbose ‘LocalPbmServer’ connID=4bfe] Attempting to connect

[09252 error ‘LocalSsoServer.ConnHandler’ connID=sso-admin-2cce] `anonymous-namespace’::ConnectHandler::GetContentComplete: Failed to retrieve admin content while connecting to SSO.Exception:

–> std::exception ‘class Vmacore::Ssl::SSLVerifyException’ “SSL Exception: Verification parameters:

–> PeerThumbprint: 62:01:94:4C:A5:94:D1:2D:CF:BC:83:66:A6:83:63:7A:05:E2:EA:07

–> ExpectedThumbprint:

–> ExpectedPeerName: vCenter.vmware.com

–> The remote host certificate has these problems:

–>

–> * The host certificate chain is incomplete.

–>

–> * unable to get local issuer certificate”

Now it is certainly not possible the service stopped all by itself without any change in the environment. So during my interaction with the customer he informed me he did witness the issue post replacing the PSC and vCenter certificate in the environment.

Checked and found the thumbprint provided in the stack trace was matching the thumbprint for PSC certificate but yet for some reason we still encountered service being crashed.

Since the above message kept prompting as “The host certificate chain is incomplete” I was certain that SRM is not happy with the PSC certificate for some reason (in this case PSC was external).

So the idea behind to login to the PSC was to retrieve the root certificate and add it to SRM trusted root certificate authorities.

I logged in to the PSC and ran the below command to extract it.

vCenter Appliance:

/usr/lib/vmware-vmafd/bin/vecs-cli entry list –store TRUSTED_ROOTS

Windows vCenter Server

“C:\Program Files\VMware\vCenter Server\vmafdd\”vecs-cli entry list –store TRUSTED_ROOTS

Alias : ec5c6f2b6e16a299f5a6d352ca93539812e1d727

Entry type :    Trusted Cert

Certificate :   —–BEGIN CERTIFICATE—–

MIIEDzCCAvegAwIBAgIJAMthqc1ZVzICMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYD

VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ

FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExIDAeBgNV

BAoMF0NhcnRtYW4uc291dGhwYXJrLmxvY2FsMQ8wDQYDVQQLDAZWTXdhcmUwHhcN

MTcxMDIyMDgzNTQwWhcNMjcxMDIwMDgzNTQwWjCBkjELMAkGA1UEAwwCQ0ExFzAV

BgoJkiaJk/IsZAEZFgd2c3BoZXJlMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxCzAJ

BgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSAwHgYDVQQKDBdDYXJ0bWFu

LnNvdXRocGFyay5sb2NhbDEPMA0GA1UECwwGVk13YXJlMIIBIjANBgkqhkiG9w0B

AQEFAAOCAQ8AMIIBCgKCAQEAva1WAwb7xixkhxgivB2p4uzF98SJmkng/qxdjaFN

e+YOxHdtgRto40EP6TJvK3NUx7I2ZAtiVwDsXTU9iocQXQXs7/D5f9kahbmbvPLw

DKzuPdB+Fb9qm1rC5ea4JviAXuA/hk1Qm/r9RoC+Xo5xif+s41diMzXW2aOwENWw

d+dQhf95YHQqmQLWvRXtvzsA9v/8W+IzufeUZ9goMnMXyJmilVKIWzUv0jVFtO/w

96Xgz8gvApYO26gwaUjtnsEQvyhYU+7NbGxPBSh2tF8YNYHuPdkUy2dsm7WmEnPu

17mQucax+J0Yax1q94qi9Ski0yQkt67VOYy68x88wofeeQIDAQABo2YwZDAdBgNV

HQ4EFgQUoLJLpbDCU6RNwsIiC+zlACr0flcwHwYDVR0RBBgwFoEOZW1haWxAYWNt

ZS5jb22HBH8AAAEwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw

DQYJKoZIhvcNAQELBQADggEBALT6GZaUK/Ks9qh3kfp/udcCNy5gFszq6ekVo0Lj

Mbcbn9x0NE+uDW6ZNgpM4YKXv/XtDPH4cSZvu0VrPj3P2h/NbdBDMbeA7c4bRfh8

EUcgWFV483fVLEphC85B3SaotDskNnj7bzwn7WcaAdNkwPzmCgSkmK+Bzy2jkDgA

WIUSdyoGjPzvqG+pPTUUGU6dRmrjZLsol3v81imQaU1bRBaKKSvWTQ0LgMockPtA

lQq1qJngxaN86xnfBkd9fNHOJwFV8Lzho81xNGUN/9PtPh3utITTacEGbI9RzUAB

RD5KVJgNQxzdiOc7uJzq+jaaBleYH+93rNcrxoPNyD5+pFA=

—–END CERTIFICATE—–

Pasted the above content in a notepad that starts from Begin Certificate upto End Certificate and saved the file as root.cer. Went ahead and copied the certificate to the SRM server

Logged in to the SRM server in the recovery site and performed the below procedure.

GoTo Start–>Run–>mmc

File–>Add/Remove Snapin–>Certificate–>Add–>Computer Account–>Local Computer–>Finish.

Clicked on Certificates–>Trusted Root Certificate Authorities–>Certificates

All Tasks–>Import–>Next–>Browse and locate the above root certificate–>Next–>Finish.

Went ahead and performed a modify of the SRM installer to start the service successfully.

Hope this article was helpful. Watch out for more.