OPERATIONAL DEFECT DATABASE
...
...
You may see 404 HTTP errors or other Apache web service when the certificate expires: Other errors may be seen such as resource unavailable. In general, the GUI is inaccessible. Issue also presents as user login failure on the GUI.
When the https or CA certificate expires on a Data Domain, it causes issues with the Apache web server. It brings the GUI down and makes it inaccessible.
Note: If the CA certificate is expired, you will require sysadmin credentials for any Data Domain or PowerProtect DD Management Center that have previously established trust with this Data Domain. Ensure that the credentials are available before attempting this procedure. If this is a Data Domain in an Integrated Data Protection Appliance or Cyber Recovery vault configuration, consider how those systems monitor the Data Domain using certificates. Support may be required when a certificate expires and then a new certificate is added. This is not a concern for Data Domains in a DLm solution as the DLm does not require or use HTTP or HTTPS access to communicate with the Data Domain. Certificate updates on the Data Domain may be performed without interruption of the DLm tape mount processing. Check if the https or CA, or both certificates are expired: # adminaccess certificate show If they are not expired, the UI may be down due to these issues: Data Domain: After upgrading to DDOS or DDMC 7.1.x or later, the UI cannot be accessed anymore Data Domain: After upgrading to DDOS or DDMC 6.2.1.90, 7.2.0.95 or 7.7.2.x or later, UI cannot be accessed anymore If the CA certificate is expired, check the trusts which are established: # adminaccess trust show You see the certificate for the current Data Domain (by its hostname) and certificates of other Data Domains or PowerProtect DD Management Center. If those trusts must be reestablished, a user requires the sysadmin passwords for any Data Domains or Data Domain Management Centers in the trust pair to reestablish after generating a new CA cert. Some trusts might be stale from old replication contexts and don't need to be added back. Check if the HTTPS cert is a self-signed certificate or if the user signs it with a Certificate Authority (CA): # adminaccess certificate show imported-host application https If this command returns anything, the user signs the certificate externally with a CA. Otherwise, if there is no imported host certificate, the certificate is self-signed. Even if the imported cert is valid and not expired, if the self-signed cert is expired, you will need renew it as in the next couple steps. Self-signed host certificate is also used internally for DD GUI to communicate with the SMS service internally. Important Note: The self-signed host and CA certs are required to be on the system even if they are not in use, you cannot delete/remove the self-signed certificates in case the system needs to fall back to them. This is by design. If the HTTPS certificate is signed externally, generate a new Certificate Signing Request (CSR). The user passes this to their CA for signing and imports the signed certificate back into the Data Domain. Follow the article Data Domain: How to Generate a Certificate Signing Request and Use Externally Signed Certificates . DDOS supports one host certificate for HTTPS. If the system is using a host certificate including self-signed and the user wants to use a different host certificate, delete the current certificate before adding the new certificate. Steps: Log out from the browser session before deleting an HTTPS host certificate. Run CLI Command to delete the certificate adminaccess certificate delete imported-host-application https If the CA certificate is expired, regenerate a new HTTPS and CA cert with this command: # adminaccess certificate generate self-signed-cert regenerate-ca You will notice that after generation, the valid starting date for the HTTPS cert will be one month in the past and the CA cert will be one year in the past, this is by design. Then go to step 9 to restart gui services If the certificate is self-signed and only the HTTPS cert is expired, regenerate a new HTTPS cert with: # adminaccess certificate generate self-signed-cert If the CA certificate was regenerated, a user must reestablish any trust required. The PowerProtect DD Management Center requires trust for monitoring and when replication is configured using the UI. If so, a user must establish a trust for that to work. For any Data Domains or Data Domain Management Centers that need trust, run this command to delete the old trust and then reestablish trust with using the new certificate on the current Data Domain (This asks for the sysadmin password on the other Data Domains or Data Domain Management Centers. Ensure that a user has all Data Domains or Data Domain Management Centers or delete the trust for any Data Domains or Data Domain Management Centers that are decommissioned without adding them back. Use the command without the type mutual when doing this. # adminaccess trust del host <hostname of other DD/DDMC> type mutual Then run this command to establish a new trust: # adminaccess trust add host <hostname of other DD/DDMC> type mutual For the above example, run the add and del for ALL the other Data Domains or Data Domain Management Centers in turn. # adminaccess trust del host sc-dd2500-2.lss.emc.com type mutual # adminaccess trust add host sc-dd2500-2.lss.emc.com type mutual If a user must not add the trust back, because the Data Domain is decommissioned: # adminaccess trust del host dd690.dssupport.emea Once the trust is reestablished if needed, restart the UI services: # adminaccess disable http # adminaccess disable https # adminaccess enable https # adminaccess enable http The user interface should be accessible now. How to restart HTTP/HTTPS services when the GUI is unavailable - Dell Data Domain Duration: 00:03:17 (hh:mm:ss) When available, closed caption (subtitles) language settings can be chosen using the CC icon on this video player. You can also view this video on YouTube .
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
