跳转到主内容

如何在AltaVault 中显式信任专用CA证书

Views:
5
Visibility:
Public
Votes:
0
Category:
altavault
Specialty:
dp
Last Updated:

适用场景

  • NetApp 云备份( AltaVault )

问题描述

  • 适用于云提供商的SSL证书的私有CA或公有 CA必须具有在AltaVault 上受信任的现有公有 证书。
  • 否则、系统日志将显示CA证书错误、并且复制将失败。
  • Altavault通过SSL连接到云提供商、为了信任云提供商的证书、签名证书颁发机构(CA)需要明确可信。
  • 为此、AltaVault 与大多数设备一样、使用的是ca-bundle文件、该文件是公有 CA X.509证书的串联列表。
  • 如果客户使用由企业证书颁发机构签名的证书来使用私有云存储、则需要明确信任私有CA的公有 证书、才能将其视为有效证书。
  • 要实现此目的、可以将证书附加到该文件中、并附加到Altavault的ca-bundle文件中。
  • 此外、公有 CA的证书可能会过期并进行更新、此更新可能不会反映在当前捆绑的AltaVault CA证书包中。
  • 如果发生这种情况、则由该CA签名的所有证书都将无法验证。

无法根据可信证书验证CA证书时可能会出现的示例错误:

Peer certificate could not be authenticated with known CA certificates. You may proceed by disabling ssl certificate verification if you are sure about the authenticity of the server. Run "no replication ssl verify-certs" from the cli. An error has occurred while replicating data to the cloud. Altavault (config) # cloudctl exec "-a list" Failed to get bucket list: 60: Peer certificate cannot be authenticated with given CA certificates : Peer certificate cannot be authenticated with known CA certificate

内部备注(内部)

 

 

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.