NVP-vProxy: Unable to install vCenter plug-in after replacing NetWorker certificate

Summary: After replacing the NetWorker certificate, vCenter plug-in installation fails due to certificate mismatch.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

The NetWorker VMware Protection integration is configured with the vProxy Appliance. Installation of the vCenter server plug-in is required to enable backup and recovery from the vCenter side.
When installing the plug-in, NetWorker reports the installation was successful, but vCenter reports a failure in deployment along with the following error in vsphere_client_virgo.log:

[YYYY-MM-DDTHH:MM:SSZ] [ERROR] -async-task-executor-pool-91  com.vmware.vise.extensionfw.plugins.impl.PluginStatusServiceImpl  DOWNLOAD_FAILED: Error downloading plugin package com.dell.emc.nw:19.4.0.95 from https://<NW-server>:9090/vcui/plugin.json. Reason: Download error. Make sure that the URL is reachable and the thumbprint is correct. com.vmware.vise.plugin.download.PluginDownloadException: javax.net.ssl.SSLHandshakeException: Server certificate chain is not trusted and thumbprint doesn't match
[YYYY-MM-DDTHH:MM:SSZ] [ERROR] -async-task-executor-pool-91  com.vmware.vise.vim.extension.VcExtensionManager                  Downloading plugin package: 'com.dell.emc.nw:19.4.0.95' registered in vCenter: '<vCenter server name>' has failed. java.util.concurrent.CompletionException: com.vmware.vise.plugin.download.PluginDownloadException: javax.net.ssl.SSLHandshakeException: Server certificate chain is not trusted and thumbprint doesn't match


The issue was observed for multiple environments where the NetWorker certificates were replaced post-installation with CA-certificates, for example:

Cause

The NetWorker Server is configured with a certificate authority (CA) signed certificate. The vCenter server is using the default self-signed certificate. This creates a trust issue between vCenter and the NetWorker server because vCenter’s recognized certificate thumbprint does not match the NetWorker certificate chain.

Resolution

As a workaround, deploy the Dell EMC NetWorker plug-in using vSphere Client Software Development Kit (SDK) CLI or register manually in vCenter MOB, updating the serverThumbprint record. A VMware Administrator must perform the actions outlined in this KB.

Before applying any workaround, confirm that no plug-in extensions from previous installations exist and uninstall them if found, following the steps below:

  1. On the vCenter server appliance, stop the vSphere services using the command:
service-control --stop vsphere-ui
  1. Log in to the vCenter server’s MOB through browser: https://vCenter server name/mob/?moid=ExtensionManager
  2. Unregister the following extensions:
    • com.dell.emc.nw
    • com.emc.networker.backup
    • com.emc.networker.recover
  3. On the vCenter server appliance:
    • Go to the following path: /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/
    • Remove any com.dell.emc.nw-xx.x.x.xx directories if found:
rm -drv <directory name>
  1. Start the vSphere services:
service-control --start vsphere-ui
  1. Delete the browser history and relaunch the browser. Log in to vCenter and confirm that the plug-in is not listed in the UI.

Work around A - Plugin registration using vSphere Client SDK:

  1. Download the vSphere client SDK corresponding to the vCenter server version from the VMware website. You can keep the SDK in any Linux/Windows host which has the connectivity to NetWorker and vCenter server.
VMware vSphere Client SDK 8.0: vSphere Client SDK - 8.0  This hyperlink is taking you to a website outside of Dell Technologies.
NOTE: See the Broadcom Developer Portal This hyperlink is taking you to a website outside of Dell Technologies. for other VMware version SDK downloads.
  1. Extract the SDK package and go to path: html-client-sdk/vCenter plug-in registration/prebuilt/
  • This path contains extension-registration.sh and extension-registration.bat that can be run remotely on the host where the SDK is downloaded depending on the operating system.
  1.  Run the following command on vCenter server appliance/Linux NetWorker server and take a note of the generated NetWorker server certificate thumbprint:
keytool -printcert -sslserver <NetWorker Server IP/FQDN>:9090 -rfc | openssl x509 -fingerprint -noout
  1. Run the following command on the vCenter server appliance/Linux NetWorker server and take a note of the generated vCenter server certificate thumbprint:
keytool -printcert -sslserver <vCenter Server IP/FQDN>:443 -rfc | openssl x509 -fingerprint -noout
  1. Run the script using the following syntax, replacing environment specific values.
  • On Windows:
extension-registration.bat -action registerPlugin -remote -url https://vCenter-server-name-or-IP/sdk -username administrator@vsphere.local -password vCenter-password -key com.dell.emc.nw -version NetWorker-Version-see-below-note -pluginUrl https://NW-server-name-o-IP:9090/vcui/plugin.json -serverThumbprint NetWorker-thumbprint-from-step-3 -vct vCenter-thumbprint-from-step-4 -c "Dell EMC" -n "NW Data Protection" -s "VCUI - vSphere Data Protection NetWorker"
  • On Linux:
  • Make the extension-registration.sh executable by running the command:
chmod +x extension-registration.sh
  • Run the script:
./extension-registration.sh -action registerPlugin -remote -url https://vCenter-server-name-or-IP/sdk -username administrator@vsphere.local -password vCenter-password -key com.dell.emc.nw -version NetWorker-Version-see-below-note -pluginUrl https://NW-server-name-o-IP:9090/vcui/plugin.json -serverThumbprint NetWorker-thumbprint-from-step-3 -vct vCenter-thumbprint-from-step-4 -c "Dell EMC" -n "NW Data Protection" -s "VCUI - vSphere Data Protection NetWorker"
NOTE: The version formatting is as follows major.branch.build. For example, if the NetWorker server version is 19.12.0.2.build.57, specify 19.12.0.57.
  1. Logout and log in to the vSphere web interface.
  2. Go to Plugin and enter NetWorker NMC credentials and login to perform backup and restore using the VCUI plug-in. Once you initiate backups or restores, the com.emc.networker.backup, and com.emc.networker.recover extensions should be populated in vCenter MOB.

Workaround B - Manual extension registration from MOB:

  1. Obtain the NetWorker certificate thumbprint using the following command on VCSA:
keytool -printcert -sslserver <NetWorker Server IP/FQDN>:9090 -rfc | openssl x509 -fingerprint -noout
  1. Log in to the MOB extension manager: https://vCenter server name/mob/?moid=ExtensionManager
  2. Select Register Extension.
  3. Use the attached com.dell.emc.nw extension configuration file as the extension value.
    • NOTE: You must modify the following parameters/tag values in com.dell.emc.nw extension value to reflect your environment configuration:
      • Version -- your current NW version and build number, for example: If using NetWorker 19.12.0.2.build.57, the version should be 19.12.0.57.
      • URL -- https://NW server name or IP:9090/vcui/plugin.json
      • serverThumbprint -- from step 1
      • lastHeartbeatTime -- current date and time in the format YYYY-MM-DDTHH:MM:SSZ
  4. Check the status of deployment on the vCenter server’s "Client Plug-in" tab and recent tasks. 
  5. Logout and log in to the vSphere web interface.

Affected Products

NetWorker

Products

NetWorker Family
Article Properties
Article Number: 000201969
Article Type: Solution
Last Modified: 03 Dec 2025
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.