删除证书后、使用HTTPS的ONTAP AutoSupport验证失败
适用场景
- ONTAP 9.7 及更高版本
- AutoSupport
- 传输HTTPS
问题描述
- 从信任存储库中删除某些证书后、AutoSupport不再成功:
cluster1::*>system node autosupport check show-details -node * -check-type https-post-destination
Node: cluster1-01
Category: https
Component: https-post-destination
Status: failed
Detail: HTTPS POST connectivity check failed for destination:
https://support.netapp.com/asupprod/post/1.0/postAsup.
Error: Peer certificate can not be authenticated with
given Certificate Authority certificates.
Corrective Action: Certificate issue. Please make sure you have the correct
Root Certificate installed
- 验证是否缺少以下证书
cluster1::>security certificate show-truststore -common-name AAACertificateServices
There are no entries matching your query.
cluster1::> security certificate show -common-name AAACertificateServices
There are no entries matching your query.
发生原因
- 缺少server-CA证书、 ONTAP使用此证书 向 HTTPS支持URL support.netapp.com/asupprod/post/1.0/postAsup进行身份验证
- 此证书的公用名称为 AAACerticateServices
- 已通过以下两种方式之一删除此证书:
- 已执行高级权限命令security certificATE信任存储库clear:
cluster1::*>security certificate truststore clear
- 已执行高级权限命令security certificATE delete:
cluster1::*>security certificate delete -vserver cluster1 -common-name AAACertificateServices -ca "AAA Certificate Services" -type server-ca -serial 01
- 已执行高级权限命令security certificATE信任存储库clear:
- 错误 ID 1221636会跟踪此问题描述
解决方案
重新加载信任存储库
- 这将重新添加 AAACerticateServices根证书以及所有其他 默认根证书
- Execute 高级权限级别下的security certificat信任存储库加载命令:
cluster1::*>security certificate truststore load
手动添加用于AutoSupport的单个证书
- 这将仅添加回 AAACerticateServices根证书
- 以下是 截至本文发布时的当前AAACerticateServices证书;但是、最好使用信任存储库、因为它可以确保加载当前证书
- 使用 security certificATE install 命令:
cluster1::>security certificate install -type server-ca
Please enter Certificate: Press <Enter> when done
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEbMBkGA1UECAwS
R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0Eg
TGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAw
MFoXDTI4MTIzMTIzNTk1OVowezELMAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hl
c3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNV
BAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQuaBtDFcCLNSS1UY8y2bmhG
C1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe3M/vg4aijJRPn2jymJBGhCfHdr/jzDUs
i14HZGWCwEiwqJH5YZ92IFCokcdmtet4YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszW
Y19zjNoFmag4qMsXeDZRrOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjH
Ypy+g8cmez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQUoBEK
Iz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wewYDVR0f
BHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNl
cy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2Vz
LmNybDANBgkqhkiG9w0BAQUFAAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm
7l3sAg9g1o1QGE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2G9w84FoVxp7Z
8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsil2D4kF501KKaU73yqWjgom7C
12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----
You should keep a copy of the CA-signed digital certificate for future reference.
The installed certificate's CA and serial number for reference:
CA: AAA Certificate Services
serial: 01
The certificate's generated name for reference: AAACertificateServices
追加信息
临时临时解决策
- 可以通过 禁用证书验证来解决此问题
- 这将配置集群中的所有控制器、使其不会验证从support.netapp.com收到的服务器证书
- 这是一个临时修复程序、用于恢复传输AutoSupport日志、直到完全解析问题描述为止
- 将存储控制器配置为在验证过程中跳过服务器证书
cluster1::>system node autosupport modify -node <node> -transport https -support enable -validate-digital-certificate false
文档
- ONTAP如何使用HTTPS发送AutoSupport?
- 要了解有关AutoSupport的详细信息,请参见TR-4444:《ONTAP AutoSupport和AutoSport按需配置指南》。