NetWorker: NMC unable to verify certificates after NMC server version change.

• A Linux NetWorker Management Console (NMC) server package was upgraded.
• The nmc_config script the option to Use Existing (ue) certificates, was specified.
• The nmc_config script reports the following error:

[root@NMCxxx ~]# /opt/lgtonmc/bin/nmc_config
The embedded web server inside the NMC server must run as a non-root user.
EMC recommends that you specify a user that has limited privileges and
file access permissions. Default user name used is 'nsrnmc'.

Do you want to create new(cn) certificate or use existing(ue) certificate [ue]? ue

Do you want to use "/nsr/certs/certxxx.pem" certificate file & "/nsr/certs/privatekey.key" key file [y]? y

ERROR: Key file "/nsr/certs/privatekey.key" does not correspond to certificate file "/nsr/certs/certxxx.pem".

• The /opt/lgtonmc/logs/Install.log shows below

Validation Failed, Configuration can not retained during upgrade.
Please run /opt/lgtonmc/bin/nmc_config after rpm installation.
Changing the ownership of /nsr/nmc/nmcdb to nsrnmc
** running: /opt/lgtonmc/bin/gstconfig -r
Reading private key from /nsr/certs/privatekey.key
Reading certificate from /nsr/certs/certxxx.pem
187258:gstconfig: Error while verifying certificate, error:04091077:rsa routines:INT_RSA_VERIFY:wrong signature length .
Error in comssl_verify_cert_and_privkeyReading private key from /nsr/certs/privatekey.key
187257:gstconfig: Could not read the private key.
187258:gstconfig: Error while verifying certificate, error:0906D06C:PEM routines:PEM_read_bio:no start line .
** running: /opt/lgtonmc/bin/gstconfig -c

1. Open a root shell on the NMC server and run the /opt/lgtonmc/bin/nmc_config script; however, specify Create New (cn):

[root@NMCxxx certs]# /opt/lgtonmc/bin/nmc_config
NOTE
====
Install has detected the configuration file of a previous lgtonmc
package. Install will attempt to read the configuration parameters
in this file and present them as default values where appropriate.
Please modify any value that is incorrect or needs to be changed.
The embedded web server inside the NMC server must run as a non-root user.
EMC recommends that you specify a user that has limited privileges and
file access permissions. Default user name used is 'nsrnmc'.

Do you want to create new(cn) certificate or use existing(ue) certificate [ue]? cn
Creating new certificate for https configuration.

Specify the directory to use for the LGTOnmc database [/nsr/nmc/nmcdb]:
A database already exists in /nsr/nmc/nmcdb, do you want to retain this database [y]?
Specify the host name of the NetWorker Authentication Service host [Authxxx.FQDN]:
Start the NMC server daemons at end of the configuration [y]? SEE BELOW POINT BEFORE CHOOSING Y/N
Creating the installation log in /opt/lgtonmc/logs/install.log.
Performing initialization. Please wait...

The installation completed successfully.

• Before starting the GST services, consider the following:
• • If you were previously using the default self-signed certificates created by nmc_config. You can use the newly generated one. In which case, enter y to start the NMC server's GST service upon script completion. No further steps are required.
  • If you previously replaced the self-signed certificates with CA signed certificates, enter n and proceed with the following steps.

3. Use a text editor to open the httpd.conf file to specify the previously used certificates: vi /opt/lgtonmc/apache/conf/httpd.conf
   1. Search for SSLCertificatefile and specify the full path to the previously used certificate file.
   2. Search for SSLCertificateKeyfile and specify the full path to the previously used key file.
   3. Save the file.
4. Start NetWorker and GST services: systemctl start gst
5. Monitor the /opt/lgtonmc/logs/gstd.raw for errors.

NetWorker: How to use nsr_render_log to render .raw log files