Error registering an ASR replication appliance to Azure Site Recovery Vault. Unable to fetch certificate details from KeyVault.

Question

I am trying to register a new ASR replication appliance with a Site Recovery Vault as the old replication appliance has 'burnt down' and is no longer available.

When I try and register the appliance I get an error: Unable to fetch certificate details from Key Vault.

I've searched for the error and found it may be permissions to the Key Vault but already have Owner assigned to my user account for the subscription.

There have been no denies for the appliance traffic through our firewall and all designated URLs for the appliance to work are allowed.

Answer 1

Hello @Craig Dyson Thank you for posting your question on the Microsoft Q&A platform. Happy to assist you with your concern.

Based on the information provided, I see that you are trying to register ASR replication appliance and it is failing with error "Unable to fetch certificate details from Key Vault"

The ASR replication

appliance uses the key vault to manage connection strings for the service bus, and access keys for the storage accounts used in replication. Authorization of access to key vault is either done by vault access policies or Azure RBAC. For more information on authorization policies of key vault, refer this document.

From the error you have been prompted with, you need to assign yourself with necessary permission on Key Vault using vault access policy. On how to add vault access policy, refer this document.

• Ensure that the currently signed-in user account on the appliance has the required permissions on the key vault mentioned in the error message. The user account needs permissions as mentioned at this website.
• Go to the key vault and ensure that your user account has an access policy with all the Key, Secret, and Certificate permissions assigned under Key Vault Access Policy. Learn more.
• If you enabled the appliance for private endpoint connectivity, ensure that the appliance is either hosted in the same virtual network where the key vault was created or it's connected to the Azure virtual network where the key vault was created over a private link. Make sure that the key vault private link is resolvable from the appliance.

Are you using the modernized appliance? If yes, grant required permissions to the vault.

You will also need to grant the managed identity permissions to the cache storage accounts. You can create the storage account in advance and use the same for enabling replication.

Ensure that the following role permissions are present depending on the type of storage account:

• Resource Manager based storage accounts (Standard Type):
  • Contributor
    • Storage Blob Data Contributor
• Resource Manager based storage accounts (Premium Type):
  • Contributor
    • Storage Blob Data Owner

If you have the required permissions and connectivity, retry the registration on the appliance after some time.

Hope this helps. Feel free to write back to us if you have any issues or have any questions.

---

If the response helped, do "Accept Answer" and up-vote it

Answer 2

Hello @Craig Dyson

Here are some potential solutions:

1. Azure Resource Quota Issues (Error Code 150097):
   • Ensure that your subscription is enabled to create Azure VMs in the target region where you plan to set up your disaster recovery (DR) region.
   • Verify that your subscription has sufficient quota to create VMs of the necessary sizes. By default, Site Recovery selects a target VM size that matches the source VM size. If an exact match isn’t available, it chooses the closest available size. If no suitable size supports the source VM configuration, you’ll see an error message like: “Replication couldn’t be enabled for the virtual machine <VmName>.”
   • To fix this, contact Azure billing support to enable your subscription for creating VMs of the required sizes in the target location. Then retry the failed operation. If the target location has capacity constraints, consider disabling replication to that location and enabling it in a different location with sufficient quota1.
2. Trusted Root Certificates (Error Code 151066):
   • If the enable replication job fails due to missing trusted root certificates, follow these steps:
   • For Windows VMs, install the latest Windows updates to ensure that all trusted root certificates are present on the VM.
   • If you’re using a VM running a Linux distribution, make sure that all necessary trusted root certificates are installed.
   • Check whether the DigiCert_Global_Root_CA certificate is present. If not, you can download it using the following command: wget https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem -O Baltimore_CyberTrust_Root.pem1.
3. Regenerating Certificates (Azure Appliance Configuration Manager):
   • If you’ve renamed the guest OS and are experiencing certificate validation issues, try regenerating the certificate with the new hostname. You can do this by clicking the “Regenerate” button under the certificates tab in the Azure Appliance Configuration Manager2.
4. Create a New Recovery Services Vault:
   • When setting up the ASR replication appliance, ensure that you create a new and exclusive Recovery Services vault. Avoid using an existing vault.
   • Provide the necessary details during registration, including the vCenter Server credentials, password, and friendly name. These details are used to fetch information about virtual machines managed through vCenter4.