Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Article Number: 000170753

Avamar : How to replace Apache Web Server SHA-1 signed SSL certificate

Article Content

Symptoms



When attempting to connect to the NetWorker Virtual Edition (NVE), Avamar server, or Avamar Extended Retention (AER) node using a web browser, the browser reports a network connectivity error and refuses to connect even though the Apache Web Server on the NVE, Avamar server, or AER node is operating normally.

Cause

Support for SSL certificates signed using SHA-1 has been terminated by the major web browser vendors, effective January 1, 2017. Certain default NVE, Avamar, and AER certificates are signed using SHA-1.

Resolution

  1. Log into the Avamar utility node or single node server as the admin user, then run the following command to switch to root:
su -

Note: The trailing - is important!
  1. Change directories into the Apache configuration directory:
cd /etc/apache2
  1. Confirm that the current certificate is signed using SHA-1:
openssl x509 -in ssl.crt/server.crt -text -noout | grep "Signature"

Sample output:
root@avamar:/etc/apache2/#: openssl x509 -in ssl.crt/server.crt -text -noout | grep "Signature"
        Signature Algorithm: sha1WithRSAEncryption
    Signature Algorithm: sha1WithRSAEncryption

Note: If the signature algorithm is not reported as SHA-1, do not continue with this procedure
  1. Back up the existing certificate:
cp ssl.crt/server.crt ssl.crt/server.crt.bak.`date -I`
  1. Generate a "certificate signing request" from the existing certificate:
openssl x509 -in ssl.crt/server.crt -signkey ssl.key/server.key -x509toreq -out ssl.csr/server.csr

Sample output:
root@avamar:/etc/apache2/#: openssl x509 -in ssl.crt/server.crt -signkey ssl.key/server.key -x509toreq -out ssl.csr/server.csr
Getting request Private Key
Generating certificate request
  1. Check whether the certificate is self-signed or signed by a Certificate Authority (CA signed):
[ `openssl x509 -in ssl.crt/server.crt -text -noout | grep "Subject: \|Issuer: " | sed 's/.*:\(.*\)/\1/' | uniq | wc -l` -eq "1" ] && echo "Self-signed" || echo "CA Signed"

Note: This command should be entered on a single line. All punctuation is important. It is recommended to copy and paste.

Sample output for a CA-signed certificate:
root@avamar:/etc/apache2/#: [ `openssl x509 -in ssl.crt/server.crt -text -noout | grep "Subject: \|Issuer: " | sed 's/.*:\(.*\)/\1/' | uniq | wc -l` -eq "1" ] && echo "Self-signed" || echo "CA Signed"
CA Signed

Sample output for a self-signed certificate:
root@avamar:/etc/apache2/#: [ `openssl x509 -in ssl.crt/server.crt -text -noout | grep "Subject: \|Issuer: " | sed 's/.*:\(.*\)/\1/' | uniq | wc -l` -eq "1" ] && echo "Self-signed" || echo "CA Signed"
Self-signed
  1. Generate and install the replacement certificate:
    1. For CA Signed certificates:
      1. Provide a copy of the certificate signing request generated in step 5 to the Certificate Authority and request that they generate a replacement certificate using a strong signature algorithm. The certificate signing request is located at /etc/apache2/ssl.csr/server.csr
      2. Place the signed certificate provided by the CA on the Avamar server in /etc/apache2/ssl.crt/server.crt
      3. Skip step 7b and continue the procedure at step 8
Note: If the CA provided updated certificate chain file(s) along with the new certificate, refer to the Appendix A for instructions on how to install these.
  1. For self-signed certificates:
    1. Generate and install a replacement certificate
openssl x509 -sha256 -req -signkey ssl.key/server.key -in ssl.csr/server.csr -out ssl.crt/server.crt -days 1825

Sample output:
root@avamar:/etc/apache2/#: openssl x509 -sha256 -req -signkey ssl.key/server.key -in ssl.csr/server.csr -out ssl.crt/server.crt -days 1825
Signature ok
subject=/C=US/ST=CA/L=Irvine/O=Dell EMC/OU=Avamar/CN=avamar.asl.lab.emc.com
  1. Confirm that the new certificate is signed using SHA-256 or another strong signature algorithm:
openssl x509 -in ssl.crt/server.crt -text -noout | grep "Signature"

Sample output:
root@avamar:/etc/apache2/#: openssl x509 -in ssl.crt/server.crt -text -noout | grep "Signature"
        Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption
  1. Restart the Apache Web Server:
website restart

Sample output:
root@avamar:/etc/apache2/#: website restart
===Shutting down website
Shutting down httpd2 (waiting for all children to terminate)                                                                                                                              done
===Starting website
Starting httpd2 (prefork)    
  1. Procedure complete

Additional Information

Appendix A - Installing updated certificate chain file(s)
  1. Create a copy of the existing certificate chain
cp /etc/apache2/ssl.crt/ca.crt /etc/apache2/ssl.crt/ca.crt.bak.`date -I`
  1. Install updated certificate chain file(s)
    1. If the CA has provided separate intermediate certificates, combine them into a single chain file:
cat cert1 cert2 cert3 cert4 > /etc/apache2/ssl.crt/ca.crt
  1. Otherwise, place the single chain file provided by the CA on the Avamar server in /etc/apache2/ssl.crt/ca.crt

Article Properties

Affected Product

Avamar

Product

Avamar

Last Published Date

20 Nov 2020

Version

2

Article Type

Solution

Back to Top