Avamar - Dell EMC Avamar Plugin plugin deployment status shows as failed in vSphere Client

In the Avamar AUI > Administration > System > VMware Plugin menu, the VMware plugin is shown as registered, and the version matches the Avamar server version. 




However, in vSphere Client, the Avamar plugin does not appear in the Home > Menu screen. 




In the vSphere Client Administration menu > Solutions > Client Plug-Ins, we see the deployment has failed.



In the vSphere Client Administration menu > Solutions > Client Plug-Ins, we see the deployment failed because of the Java security exception.  

Error downloading plug-in. Make sure that the URL is reachable and the registered thumbprint is correct. sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

On vCenter server, the vSphere client HTML5 logs show the following message: "Server certificate chain is not trusted and thumbprint doesn't match."   

/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log:

[2021-03-22T18:39:59.381Z] [INFO ] vc-extensionmanager-pool-207 70000151 100020 200002 com.vmware.vise.vim.extension.VcExtensionManager                  Downloading plugin package from https://ave194.example.lab/mc/lib/aui.zip (no proxy defined)
[2021-03-22T18:39:59.403Z] [ERROR] vc-extensionmanager-pool-207 70000151 100020 200002 com.vmware.vise.vim.extension.PluginStatusTaskManager             DOWNLOAD_FAILED: Error downloading plugin package com.dell.emc.avamar:19.4.116 from https://ave194.example.lab/mc/lib/aui.zip. Reason: Download error. Make sure that the URL is reachable and the thumbprint is correct. javax.net.ssl.SSLHandshakeException: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match

This error is inciting the download of the "aui.zip" package  from avamar.example.lab   has been aborted due to certificate thumbprint mismatch error. 

The vSphere Client software on vCenter will NOT download a client package if the remote Avamar server certificate does not match the registered plugin's remote certificate thumbprint/fingerprint. 

1. To view the registered vCenter  extension  list and setting  from a web browser login to the vCenter managed object browser page:  ( administrator username and password are required) 

https://vcenter.example.com/mob/?moid=ExtensionManager&doPath=extensionList

2. Search this page for the Dell EMC Avamar Plugin :   and review the "server" section of this extension.  It should look like this example: 
 

NAME	TYPE	VALUE
server	ExtensionServerInfo[]	NAME TYPE VALUE company string "Dell EMC" description Description NAME TYPE VALUE label string "aui" summary string "Dell EMC Avamar Plugin" serverThumbprint string "40:79:74:0E:5E:A8:75:F0:9B:1E:59:70:4A:DA:27:A1:E5:9E:61:68" type string "HTTP" url string "https://ave194.example.lab/mc/lib/aui.zip"

3.  To compare the "serverThumbprint"   with the current  Avamar server setting run the following command on the vCenter server SSH session.  This command will make a HTTPS connection to avamar and obtain SSL fingerprint.  

root@vc6-avamar [ ~ ]# keytool -printcert  -sslserver ave194.example.lab:443 -rfc | openssl x509 -fingerprint -noout
SHA1 Fingerprint=65:E2:B0:FD:2C:F4:6C:B5:C8:57:08:D0:B9:A6:61:EE:4D:84:48:6E

In this example the Fingerprint 40:79:74:0E:5E:A8:75:F0:9B:1E:59:70:4A:DA:27:A1:E5:9E:61:68  does NOT match with  65:E2:B0:FD:2C:F4:6C:B5:C8:57:08:D0:B9:A6:61:EE:4D:84:48:6E

Solution #1 ( Re-register extension)  
1. In Avamar AUI > Administration > System > VMware Plugin  menu select the vCenter,  and choose action unregister. 




2. Check the vCenter managed object browser to see "com.dell.emc.avamar"  extension is now gone.

https://vcenter.example.com/mob/?moid=ExtensionManager&doPath=extensionList

If is is still present  go to this page: and put in the key:   com.dell.emc.avamar and click "Invoke method".  

https://vcenter.example.lab/mob/?moid=ExtensionManager&method=unregisterExtension

3.  In Avamar AUI > Administration > System > VMware Plugin  menu select the vcenter and choose action register.     

4.  Check the vcenter managed object browser to see "com.dell.emc.avamar"  extension  serverThumbprint is NOW re-added. .  

https://vcenter.example.com/mob/?moid=ExtensionManager&doPath=extensionList

5.  Logout and re-login to check if plugin is NOW installed

NOTE: IF serverThumbprint  is still incorrect after  this could indicate NAT router  between vCenter and Avamar or a problem with Avamar software.     

Contact Dell EMC support and reference KB 000184447 if no NAT is present or if the issue requires  further investigation.  


OR 
Solution #2   Manually install plugin.   (requires root access to vCenter)

1. SSH into the vCenter server and run the following commands to download aui.zip and place in appropriate vcenter server location with correct permissions.   

cd /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity/
mkdir com.dell.emc.avamar-19.4.116
cd com.dell.emc.avamar-19.4.116
wget  --no-check-certificate  https://ave194.example.lab/mc/lib/aui.zip 
unzip aui.zip  
chown -R vsphere-ui:users ../com.dell.emc.avamar-19.4.116

NOTE: replace "19.4.116"  with current plugin version and  "ave194.example.lab" with Avamar server name.  

2. Logout and re-login to check if plugin is NOW installed




3.  After click "Refresh Browser"  the  Plugin will now be visible on the Home menu: