I recently ran into some problems with SRM and SSL certificates. My lab for this project has two vcenters — both using CA signed SSL certificates. During the SRM install I used the automatically generated certificates. When the installations were complete, I was unable to pair the sites. The error message I received was SSL related:
The host certificate chain is not complete. reason.msg
I spent a lot of time trying to figure out the ‘trick’ on how to create certificates that SRM would actually use. I finally found a blog post here: http://thephuck.com/virtualization/creating-certificates-for-vmware-srm-or-vcenter-using-openssl-made-easy-with-video/ that pointed me in the right direction. I followed the instructions but SRM still wouldn’t use the certificate.
Looking at the certificate created, I noticed a couple of things were missing. Specifically, the following two settings that actually make the SRM certificate different:
extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS: fqdn.of.srm.server
Even though my CSR contained both of these settings, the CA did not include them in the certificate. I decided to make a copy of the ‘Web Server’ certificate template I normally use and add a ‘Client Authentication’ purpose. However, when I got to my CA, I noticed an SCCM Web Server template that already had the options I needed.
I followed the instructions, but made two different changes when submitting the CSR to my CA:
Certificate Template: SCCM Web Server (which has a Server & Client purpose)
Attributes: san:dns=host.name.of.vcenter (which adds the subject alternative names)
Finally, after what felt like weeks of SSL hell, I was able to pair my sites. Many thanks to Luke @ThepHuck for these valuable instructions.
I’m glad I could help! @ShannonSnowden from http://virtualizationinformation.com & I worked back and forth trying to figure out a good way to get the certs working. He posted about it here: http://virtualizationinformation.com/installing-certificates-for-vcenter-and-srm-to-work/
I am experiencing the same issue with default certs after SRM ip has been changed.
Mon, 4:20 PM] Login of SRM server ” into SRM server ” failed. SRM server ” cannot validate SSL certificate from server at ”. The remote host certificate has these problems:
* The host certificate chain is not complete. reason.msg
Any help would be appreciated
Is this error seen between the Protected vCenter & Protected SRM server? Or is it seen when trying to authenticate the Protected site to the Recovery site?
If it’s the latter, try reconnecting the site pairing. It should present the certificate, allowing you to accept it.
We are unable to register SRM to vCenter
Issue occurred after an IP change in the environment\
Same issue is seen on both sites
We have done a modify install of SRM and generated new default certs in the process.
the issue still persists