Data Domain: Web UI Inaccessible Due to Expired https Certificate

• The following 404 HTTP errors or other Apache web service may be seen when the certificate expires:
  
• Other errors may be seen such as resource unavailable.

• In general, the UI is inaccessible.

• The issue also presents as a user login failure on the UI.

When the HTTPS or CA certificate expires on a Data Domain (DD), it causes issues with the Apache web server. It brings the UI down and makes it inaccessible.

If the Data Domain is in an Integrated Data Protection Appliance or Cyber Recovery vault configuration, consider how those systems monitor the Data Domain using certificates. Support may be required when a certificate expires and then a new certificate is added.

This is not a concern for Data Domains in a DLm solution as the DLm does not require or use HTTP or HTTPS access to communicate with the Data Domain. Certificate updates on the Data Domain may be performed without interruption of the DLm tape mount processing.

1. Check if the HTTPS, CA, or both certificates are expired:

sysadmin@DD6400# adminaccess certificate show
Subject                                              Type            Application   Valid From                 Valid Until                Fingerprint
--------------------------------------------------   -------------   -----------   ------------------------   ------------------------   -----------------------------------------------------------
DD6400.ddsupport                                     host            https         Thu Sep 11 22:30:27 2025   Sun Oct 11 22:30:27 2026   30:89:8A:9D:BD:67:75:DC:D8:98:84:C6:CD:8F:9F:21:34:24:1B:87
DD6400.ddsupport                                     ca              trusted-ca    Tue Oct 08 07:42:22 2024   Mon Oct 07 07:42:22 2030   81:5B:70:A8:36:02:02:FD:55:13:DA:7C:38:BC:FF:1B:EA:92:3E:96

The HTTPS host certificate is valid for 1 year, and the CA certificate is valid for 6 years.

2. If they are not expired, the UI may be down due to the issues below:
   1. If the certificate is old enough, it will not meet the new certificate security standards and the user interface will not come up. A new certificate must be generated as in the proceeding steps.
   2. Data Domain: UI cannot be accessed after upgrading to DDOS or DDMC 6.2.1.90, 7.2.0.95, or 7.7.2.x or later

3. If the CA certificate is expired, check the trusts which are established:

sysadmin@DD6400# adminaccess trust show
Subject                   Type         Valid From                 Valid Until                Fingerprint
-----------------------   ----------   ------------------------   ------------------------   -----------------------------------------------------------
DD6400.ddsupport          trusted-ca   Tue Oct 08 07:42:22 2024   Mon Oct 07 07:42:22 2030   81:5B:70:A8:36:02:02:FD:55:13:DA:7C:38:BC:FF:1B:EA:92:3E:96
DDMCLAB-2.201             trusted-ca   Mon Jul 08 03:02:34 2024   Sun Jul 07 03:02:34 2030   E8:C1:79:5B:B4:2A:02:3A:55:4A:9A:52:AB:FC:D2:01:E7:7A:6C:CA
CorkDDMC.localdomain      trusted-ca   Tue Aug 06 04:29:41 2024   Mon Aug 05 04:29:41 2030   4B:29:2B:D3:DB:3E:62:16:98:D1:6C:36:4C:DF:2F:94:3C:A1:A8:27
DD6900-2.ddsupport.emea   trusted-ca   Sat Feb 03 20:49:25 2024   Fri Feb 01 20:49:25 2030   DC:95:CC:4A:F4:AC:58:58:5E:19:2D:05:F3:99:D9:86:14:32:7F:88
DD9900-HA-P0.ddsupport    trusted-ca   Sat Oct 05 05:08:35 2024   Fri Oct 04 05:08:35 2030   38:FD:E8:B6:C6:2F:30:42:17:93:73:F5:AE:25:3D:53:3E:F5:5C:C4
-----------------------   ----------   ------------------------   ------------------------   -----------------------------------------------------------

The certificate for the current Data Domain (by its hostname) and certificates of other Data Domains or PowerProtect DD Management Center are seen.

If those trusts must be reestablished, a user requires the sysadmin passwords for any Data Domains or Data Domain Management Centers in the trust pair to reestablish after generating a new CA certificate. Some trusts might be stale from old replication contexts and do not require being added back.

4. Check if the HTTPS certificate is a self-signed certificate or if the user signs it with a Certificate Authority (CA):

# adminaccess certificate show imported-host application https

If this command returns anything, the user signs the certificate externally with a CA. Otherwise, if there is no imported host certificate, the certificate is self-signed.

Even if the imported certificate is valid and not expired, if the self-signed certificate is expired, it must be renewed as in the next steps. A Self-signed host certificate is also used internally for DD UI to communicate with the SMS service internally.

5. If the HTTPS certificate is signed externally, generate a new Certificate Signing Request (CSR). The user passes this to their CA for signing and imports the signed certificate back into the Data Domain. Follow the article Data Domain: How to Generate a Certificate Signing Request and Use Externally Signed Certificates.

DDOS supports one host certificate for HTTPS. If the system is using a host certificate including self-signed and the user wants to use a different host certificate, delete the current certificate before adding the new certificate.

6. If the CA certificate is expired and this is an HA system, support must be engaged to fix the certificates. Otherwise, regenerate a new HTTPS and CA certificate with this command:

# adminaccess certificate generate self-signed-cert regenerate-ca

Notice that after the generation, the valid starting date for the HTTPS certificate is one month in the past and the CA certificate is one year in the past, this is by design.

Then go to step 8 to restart UI services.

7. If the certificate is self-signed and only the HTTPS certificate is expired and this is an HA system, follow this article: Data Domain: HA System Running in Degraded State, Self-signed Host Certificate is Expired, otherwise, regenerate a new HTTPS certificate with:

# adminaccess certificate generate self-signed-cert

Notice that after the generation, the valid starting date for the HTTPS certificate is one month in the past and it will be valid for 1 year which is by design.

8. If the CA certificate was regenerated, a user must reestablish any trust required. The PowerProtect DD Management Center requires trust for monitoring and when replication is configured using the UI. If so, a user must establish a trust for that to work.

9. For any Data Domains or Data Domain Management Centers that need trust, run this command to delete the old trust and then reestablish trust with using the new certificate on the current Data Domain (This asks for the sysadmin password on the other Data Domains or Data Domain Management Centers. Ensure that a user has all Data Domains or Data Domain Management Centers or delete the trust for any Data Domains or Data Domain Management Centers that are decommissioned without adding them back.

Use the command without the type mutual when doing this.

# adminaccess trust del host <hostname of other DD/DDMC> type mutual

# adminaccess trust add host <hostname of other DD/DDMC> type mutual

# adminaccess trust del host sc-dd2500-2.lss.emc.com type mutual
# adminaccess trust add host sc-dd2500-2.lss.emc.com type mutual

# adminaccess trust del host dd690.dssupport.emea

10. Once the trust is reestablished if needed, restart the UI services:

# adminaccess show
Service       Enabled   Allowed Hosts
-----------   -------   -------------
ssh           yes       -
scp           yes       (same as ssh)
telnet        no        -
ftp           no        -
ftps          no        -
http          no        -
https         yes        -
web-service   yes       N/A
-----------   -------   -------------

This output shows that HTTP is disabled, and HTTPS enabled. 

# adminaccess disable https
# adminaccess enable https

# adminaccess disable http
# adminaccess disable https
# adminaccess enable https
# adminaccess enable http

11. The user interface should now be accessible.

This video can also be viewed on YouTube.