Symptoms

When attempting to connect to the NetWorker Virtual Edition (NVE), Avamar server, or Avamar Extended Retention (AER) node using a web browser, the browser reports a network connectivity error and refuses to connect even though the Apache Web Server on the NVE, Avamar server, or AER node is operating normally.

Cause

Support for SSL certificates signed using SHA-1 has been terminated by the major web browser vendors, effective January 1, 2017. Certain default NVE, Avamar, and AER certificates are signed using SHA-1.

Resolution

Log into the Avamar utility node or single node server as the admin user, then run the following command to switch to root: su -Note: The trailing - is important! Change directories into the Apache configuration directory: cd /etc/apache2 Confirm that the current certificate is signed using SHA-1: openssl x509 -in ssl.crt/server.crt -text -noout | grep "Signature"Sample output:root@avamar:/etc/apache2/#: openssl x509 -in ssl.crt/server.crt -text -noout | grep "Signature" Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryptionNote: If the signature algorithm is not reported as SHA-1, do not continue with this procedure Back up the existing certificate: cp ssl.crt/server.crt ssl.crt/server.crt.bak.`date -I` Generate a "certificate signing request" from the existing certificate: openssl x509 -in ssl.crt/server.crt -signkey ssl.key/server.key -x509toreq -out ssl.csr/server.csrSample output:root@avamar:/etc/apache2/#: openssl x509 -in ssl.crt/server.crt -signkey ssl.key/server.key -x509toreq -out ssl.csr/server.csrGetting request Private KeyGenerating certificate request Check whether the certificate is self-signed or signed by a Certificate Authority (CA signed): [ `openssl x509 -in ssl.crt/server.crt -text -noout | grep "Subject: \|Issuer: " | sed 's/.*:\(.*\)/\1/' | uniq | wc -l` -eq "1" ] && echo "Self-signed" || echo "CA Signed"Note: This command should be entered on a single line. All punctuation is important. It is recommended to copy and paste.Sample output for a CA-signed certificate:root@avamar:/etc/apache2/#: [ `openssl x509 -in ssl.crt/server.crt -text -noout | grep "Subject: \|Issuer: " | sed 's/.*:\(.*\)/\1/' | uniq | wc -l` -eq "1" ] && echo "Self-signed" || echo "CA Signed"CA SignedSample output for a self-signed certificate:root@avamar:/etc/apache2/#: [ `openssl x509 -in ssl.crt/server.crt -text -noout | grep "Subject: \|Issuer: " | sed 's/.*:\(.*\)/\1/' | uniq | wc -l` -eq "1" ] && echo "Self-signed" || echo "CA Signed"Self-signed Generate and install the replacement certificate: For CA Signed certificates: Provide a copy of the certificate signing request generated in step 5 to the Certificate Authority and request that they generate a replacement certificate using a strong signature algorithm. The certificate signing request is located at /etc/apache2/ssl.csr/server.csrPlace the signed certificate provided by the CA on the Avamar server in /etc/apache2/ssl.crt/server.crtSkip step 7b and continue the procedure at step 8 Note: If the CA provided updated certificate chain file(s) along with the new certificate, refer to the Appendix A for instructions on how to install these. For self-signed certificates: Generate and install a replacement certificate openssl x509 -sha256 -req -signkey ssl.key/server.key -in ssl.csr/server.csr -out ssl.crt/server.crt -days 1825Sample output:root@avamar:/etc/apache2/#: openssl x509 -sha256 -req -signkey ssl.key/server.key -in ssl.csr/server.csr -out ssl.crt/server.crt -days 1825Signature oksubject=/C=US/ST=CA/L=Irvine/O=Dell EMC/OU=Avamar/CN=avamar.asl.lab.emc.com Confirm that the new certificate is signed using SHA-256 or another strong signature algorithm: openssl x509 -in ssl.crt/server.crt -text -noout | grep "Signature"Sample output:root@avamar:/etc/apache2/#: openssl x509 -in ssl.crt/server.crt -text -noout | grep "Signature" Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption Restart the Apache Web Server: website restartSample output:root@avamar:/etc/apache2/#: website restart===Shutting down websiteShutting down httpd2 (waiting for all children to terminate) done===Starting websiteStarting httpd2 (prefork) Procedure complete

Support Cases