Avamar - Dell Cloud Director Data Protection Extension (DPE) vcpsrv status shutdown due to invalid Cloud certificate

Summary: DPE: vcpsrv status shows shutdown due to invalid vcloud certificate in DPE truststore The Dell EMC Data Protection Extension is the first certificated data protection solution for VMware vCloud Director, which is also a native data protection solution. It extends the vCloud Director HTML 5 UI and REST API providing tenants a single management end-point for their virtual datacenters. Tenants can manage image level backups of VMs and vApps, restore to a new VM or in-place, by policy or adhoc, even file level restore. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

VCP Manager Service shutdown
BG Service down
DPE unable to connect to vCloud

VCP manager log shows cert errors: 
/var/log/vcp/vcp-manager.log 
2022-04-15 15:31:50,524 [main] ERROR (RestUtil.java:389) - null
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.
        at sun.security.ssl.Alert.createSSLException(Unknown Source) ~[?:1.8.0_301]
        at sun.security.ssl.TransportContext.fatal(Unknown Source) ~[?:1.8.0_301]

Cause

systemctl restart vcp-manager.service
sleep 30
vcp-cli srv update <srv-service-name from step 8>
vcp-cli bg update <bg service name from step 8>

The certificate was expired or replaced on the Cloud and the DPE needs to get the new Cloud certificate imported.

Resolution

Prerequisites:  Obtain credentials for keystore file.  DPE always generate random password keystore  so we have to use the command below with customer master password to get keystore
    
vcp-cli credential list -p <master_password>
example output 
# vcp-cli  credential list -p Changeme_1
getting credentials...
Success

credential:
   component: truststore
   url: /etc/vcp/truststore
   username:
   password: ZM1VnGwRZCLFrrNS

Step 1
Check current certificates in the truststore for the Cloud certificate, looking at the dates to see if expired, or looking at the SHA1 fingerprint to see if it matches the current certificate applied to the vcloud 
 # vcp-cli certificate show-trust -a cloud

Example output showing that the old vCloud certificate is currently loaded in the truststore using alias cloud  
Alias name: cloud
Creation date: Sep 8, 2021
Entry type: trustedCertEntry

[..]
Valid from: Wed Mar 24 09:32:46 EDT 2021 until: Sat Apr 23 09:32:45 EDT 2022
Certificate fingerprints:
MD5:  B0:E2:12:5D:46:4D:DC:09:FB:2C:EF:94:7D:29:EB:DF
SHA1: C4:0A:BE:56:D5:25:A1:49:00:94:9E:9D:46:FD:6F:64:1D:59:A7:E8       SHA256:40:67:86:D2:EE:58:72:24:E0:52:88:33:4E:C8:9E:44:9E:B0:24:EE:65:2E:AD:5C:D3:40:97:44:AD:04:48:3B
Take note of the SHA1 fingerprint and dates:
In this example in fingerprint is: C4:0A:BE:56:D5:25:A1:49:00:94:9E:9D:46:FD:6F:64:1D:59:A7:E8
In this example the certificate is valid until:  Sat Apr 23 09:32:45 EDT 2022

Step 2
Use new keytool command to make a TLS connection to the Cloud and get the SHA1 fingerprint  
# keytool  -printcert -sslserver <cloud director hostname or ip>:443 -rfc | openssl x509 -noout -fingerprint -dates
Example output 
SHA1 Fingerprint=94:2F:74:56:9C:19:61:2D:7E:24:60:4A:8A:2F:89:D7:31:34:19:A4
notBefore=Dec 29 18:59:49 2021 GMT
notAfter=Dec 29 18:59:49 2022 GMT
If the fingerprints don't match or the dates do not make. you need to update the cloud certificate on the DPE.

Step 3
Make a copy of the truststore 
cp -p /etc/vcp/truststore /etc/vcp/truststore-`date -I`.bkp

Step 4
In order to replace the certificate in the trust store on DPE, first delete the old cert 
keytool -delete  -alias cloud -keystore /etc/vcp/truststore -storepass <keystore_passphrase> 
Step 5
Download the current vCloud cert to a  new file: new_cloud_cert.crt  
keytool -printcert -rfc -sslserver <Cloud_hostname>:443 > new_cloud_cert.crt
Step 6
Import the certificate file to the truststore 
keytool -import -file new_cloud_cert.crt -alias cloud  -keystore /etc/vcp/truststore -storepass <keystore_passphrase> 

Step 7
Repeat the command from step1 again to confirm new cert is installed  
 # vcp-cli certificate show-trust -a cloud

Example output 
Alias name: cloud 
Creation date: Jul 27, 2022
Entry type: trustedCertEntry

Owner: CN=vcd.example.lab
Issuer: CN=vcd.example.lab
Serial number: 7e29bef2a5652b7a
Valid from: Wed Dec 29 13:59:49 EST 2021 until: Thu Dec 29 13:59:49 EST 2022
Certificate fingerprints:
         MD5:  8A:5A:D1:09:AE:C8:D9:94:B6:B9:D3:A5:E9:BD:AA:07
         SHA1: 94:2F:74:56:9C:19:61:2D:7E:24:60:4A:8A:2F:89:D7:31:34:19:A4
         SHA256: 38:88:0F:5F:C1:8C:BB:F0:D9:64:40:72:D9:59:35:5E:2B:72:BB:50:2F:88:3B:B0:8D:4C:D5:16:56:35:19:E2
Note: 
This creation date should be today date,  and SHA1 fingerprint and certificate dates should be updated. 

Step 8 
Get the node status to grab the service names for BG and srv  
vcp-cli node status
Step 9 
Restart the services  
systemctl restart vcp-manager.service
sleep 30
vcp-cli srv stop <srv-service-name> -p <master password>
vcp-cli srv start <srv-service-name> -p <master password>
vcp-cli bg stop <bg service name>  -p <master password>
vcp-cli bg start <bg service name> -p <master password>

Step 10
Check the statuses 
vcp-cli srv status
vcp-cli bg status

Affected Products

Avamar
Article Properties
Article Number: 000198597
Article Type: Solution
Last Modified: 08 Jan 2026
Version:  8
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.