Symptoms

You may see 404 HTTP errors or other Apache web service when the certificate expires: Other errors may be seen such as resource unavailable.In general, the UI is inaccessible.Issue also presents as user login in failure.

Cause

When the https certificate expires on a Data Domain, it causes issues with the Apache web server. It brings the UI down and makes it inaccessible.

Resolution

Note: If the CA certificate is expired, you require sysadmin credentials for any Data Domain or PowerProtect DD Management Center that have previously established trust with this Data Domain. Ensure that the credentials are available before attempting this procedure. If this is a Data Domain in an Integrated Data Protection Appliance or Cyber Recovery vault configuration, consider how those systems monitor the Data Domain using certificates. Support may be required when a certificate expires and then a new certificate is added. This is not a concern for Data Domains in a DLm solution as the DLm does not require or use HTTP or HTTPS access to communicate with the Data Domain. Certificate updates on the Data Domain may be performed without interruption of the DLm tape mount processing. Check if the https or CA, or both certificates are expired: # adminaccess certificate show If they are not expired, the UI may be down due to these issues: Data Domain: After upgrading to DDOS or DDMC 7.1.x or later, the UI cannot be accessed anymoreData Domain: After upgrading to DDOS or DDMC 6.2.1.90, 7.2.0.95 or 7.7.2.x or later, UI cannot be accessed anymore If the CA certificate is expired, check the trusts which are established: # adminaccess trust show You see the certificate for the current Data Domain (by its hostname) and certificates of other Data Domains or PowerProtect DD Management Center. If those trusts must be reestablished, a user requires the sysadmin passwords for any Data Domains or Data Domain Management Centers in the trust pair to reestablish after generating a new CA cert. Check if the HTTPS cert is a self-signed certificate or if the user signs it with a Certificate Authority (CA): # adminaccess certificate show imported-host application https If this command returns anything, the user signs the certificate with a CA. Otherwise, if there is no imported host certificate, the certificate is self-signed.Even if the imported cert is valid and not expired, if the self-signed cert is expired, you will need renew it as in the next couple steps. Self-signed host certificate is also used internally for DD GUI to communicate with SMS internally. If the certificate is self-signed and the HTTPS cert is expired, regenerate a new one with: # adminaccess certificate generate self-signed-cert Then go to step 9 to restart gui services If the CA certificate is expired, regenerate a new HTTPS and CA cert with this command: # adminaccess certificate generate self-signed-cert regenerate-ca If the HTTPS certificate is signed externally, generate a new Certificate Signing Request (CSR). The user passes this to their CA for signing and imports the signed certificate back into the Data Domain. Follow the article Data Domain: How to Generate a Certificate Signing Request and Use Externally Signed Certificates. DDOS supports one host certificate for HTTPS. If the system is using a host certificate including self-signed and the user wants to use a different host certificate, delete the current certificate before adding the new certificate. Steps: Select Administration > Access > Administrator Access.In the Services area, select HTTP, or HTTPS, and click Configure.Select the Certificate tab.Select the certificate that a user wants to delete.Click Delete, and click OK. If the CA certificate was regenerated, a user must reestablish any trust required. The PowerProtect DD Management Center requires Trust for monitoring and when replication is configured using the UI. If so, a user must establish a trust for that to work. For any Data Domains or Data Domain Management Centers that need trust, run this command to delete the old trust and then reestablish trust with using the new certificate on the current Data Domain (This asks for the sysadmin password on the other Data Domains or Data Domain Management Centers. Ensure that a user has all Data Domains or Data Domain Management Centers or delete the trust for any Data Domains or Data Domain Management Centers that are decommissioned without adding them back. Use the command without the type mutual when doing this. # adminaccess trust del host type mutual Then run this command to establish a new trust: # adminaccess trust add host type mutual For the above example, run the add and del for ALL the other Data Domains or Data Domain Management Centers in turn. # adminaccess trust del host sc-dd2500-2.lss.emc.com type mutual # adminaccess trust add host sc-dd2500-2.lss.emc.com type mutual If a user must not add the trust back, because the Data Domain is decommissioned: # adminaccess trust del host dd690.dssupport.emea Once the trust is reestablished if needed, restart the UI services: # adminaccess disable http # adminaccess disable https # adminaccess enable https # adminaccess enable http The user interface should be accessible now. How to restart HTTP/HTTPS services when the GUI is unavailable – Dell Data Domain Duration: 00:03:17 (hh:mm:ss)When available, closed caption (subtitles) language settings can be chosen using the CC icon on this video player. You can also view this video on YouTube.

Support Cases