跳转到主内容

删除证书后、使用HTTPS的ONTAP AutoSupport验证失败

Views:
27
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

适用场景

  • ONTAP 9.7 及更高版本
  • AutoSupport
  • 传输HTTPS

问题描述

  • 从信任存储库中删除某些证书后、AutoSupport不再成功:

cluster1::*>system node autosupport check show-details -node * -check-type https-post-destination

Node: cluster1-01
 
Category: https
      Component: https-post-destination
       Status: failed
       Detail: HTTPS POST connectivity check failed for destination:
https://support.netapp.com/asupprod/post/1.0/postAsup.
           Error: Peer certificate can not be authenticated with
           given Certificate Authority certificates.
  Corrective Action: Certificate issue. Please make sure you have the correct
           Root Certificate installed

  • 验证是否缺少以下证书

cluster1::>security certificate show-truststore -common-name AAACertificateServices

There are no entries matching your query.

cluster1::> security certificate show -common-name AAACertificateServices

There are no entries matching your query.

发生原因

  • 缺少server-CA证书、 ONTAP使用此证书 向 HTTPS支持URL support.netapp.com/asupprod/post/1.0/postAsup进行身份验证
  • 此证书的公用名称为 AAACerticateServices
  • 已通过以下两种方式之一删除此证书:
  • 错误 ID 1221636会跟踪此问题描述

解决方案

要解决此问题描述、请选择以下选项之一:
重新加载信任存储库

cluster1::*>security certificate truststore load

手动添加用于AutoSupport的单个证书
  • 这将添加回  AAACerticateServices根证书
  • 以下是 截至本文发布时的当前AAACerticateServices证书;但是、最好使用信任存储库、因为它可以确保加载当前证书
  • 使用 security certificATE install 命令:

cluster1::>security certificate install -type server-ca

Please enter Certificate: Press <Enter> when done

-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEbMBkGA1UECAwS
R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0Eg
TGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAw
MFoXDTI4MTIzMTIzNTk1OVowezELMAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hl
c3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNV
BAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQuaBtDFcCLNSS1UY8y2bmhG
C1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe3M/vg4aijJRPn2jymJBGhCfHdr/jzDUs
i14HZGWCwEiwqJH5YZ92IFCokcdmtet4YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszW
Y19zjNoFmag4qMsXeDZRrOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjH
Ypy+g8cmez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQUoBEK
Iz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wewYDVR0f
BHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNl
cy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2Vz
LmNybDANBgkqhkiG9w0BAQUFAAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm
7l3sAg9g1o1QGE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2G9w84FoVxp7Z
8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsil2D4kF501KKaU73yqWjgom7C
12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----

 

You should keep a copy of the CA-signed digital certificate for future reference.
 
The installed certificate's CA and serial number for reference:
CA: AAA Certificate Services
serial: 01
 
The certificate's generated name for reference: AAACertificateServices
​​​​ 

追加信息

临时临时解决策
  • 可以通过 禁用证书验证来解决此问题
  • 这将配置集群中的所有控制器、使其不会验证从support.netapp.com收到的服务器证书
  • 这是一个临时修复程序、用于恢复传输AutoSupport日志、直到完全解析问题描述为止
  • 将存储控制器配置为在验证过程中跳过服务器证书
cluster1::>system node autosupport modify -node <node> -transport https -support enable -validate-digital-certificate false

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.