AWS Server Migration Service
User Guide

Troubleshooting AWS SMS

This section contains troubleshooting help for specific errors you may encounter when using AWS SMS.

Certificate Error When Uploading a VM to Amazon S3

The connector may fail to replicate your VM because the VM is on an ESXi host with an SSL certificate problem. If this occurs, you see the following error message displayed in the Latest run's status message section: "ServerError: Failed to upload base disk(s) to S3. Please try again. If this problem persists, please contact AWS support: vSphere certificate hostname mismatch: Certificate for <> doesn't match any of the subject alternative names: [localhost.localdomain]."

You can override this ESXi host certificate problem by completing the following procedures:

Upgrade Your Connector

This section is for customers who are manually upgrading the connector. If you have previously configured automatic upgrades, skip these steps and continue to Re-Register Your Connector.

To upgrade your connector

  1. Open the connector console.

  2. Log in to the connector.

  3. Choose Upgrade.

  4. Wait for the connector to finish upgrading to version

Re-Register Your Connector

This section applies to all customers encountering the certificate mismatch problem.

To re-register your connector

  1. Open the connector console.

  2. Log in to the connector.

  3. In the General Health section, check that the connector version is

  4. Choose Edit AWS Server Migration Service Settings.

  5. On the Setup page, for AWS Region, select the desired region from the list. For AWS Credentials, enter the IAM access key and secret key that you created in Step 2 of the setup guide. Choose Next.

  6. On the vCenter Service Account page, enter the vCenter hostname, username, and password that you created in Step 3 of the setup guide.

  7. Select the Ignore hostname mismatch and expiration errors for vCenter and ESXi certificates check box. Choose Next.

  8. Complete registration and view the connector configuration dashboard.

  9. In the AWS SMS console, delete and restart your stuck replication jobs.

Server Migration Connector Fails To Connect To AWS with Error "PKIX path building failed"

In some customer environments, secure network traffic is proxied through a certificate re-signing mechanism for auditing and management purposes. This can cause your AWS credentials to fail when the connector attempts to contact AWS SMS. The error message contains "PKIX path building failed," indicating that an invalid certificate was presented.

For the connector to work in such an environment, the re-signing certificate (a user certificate that your organization trusts and uses to sign outbound packets) must be added to the connector's trust store, as described in the following steps.

To add the re-signing certificate to the connector trust store

  1. On your connector system, disable the FreeBSD packet filter and enable SSH with the following commands:

    sudo service pf stop sudo service sshd onestart
  2. Copy your user certificate to the connector by a method such as the following:

    scp userCertFile ec2-user@
  3. Add the user certificate to the trust store:

    keytool -importcert -keystore /usr/local/amazon/connector/config/jetty/trustStore -storepass AwScOnNeCtOr -file /tmp/userCertFileName -alias userCertName
  4. Restart services using the following command (part of AWS Management Portal for vCenter):

    sudo setup.rb

    Select option 3 and type "yes".

  5. Re-enable the packet filter:

    sudo service pf start