LDAP for UNIX名称服务在升级后失败、并显示证书已过期
适用场景
ONTAP 9
问题描述
- 升级LDAP for UNIX名称服务失败并显示证书已过期后
::> ldap check -vserver VSERVER Vserver: VSERVER Client Configuration Name: Unix LDAP Status: down LDAP Status Details: Error: Validate the Ldap configuration procedure failed [ 0 ms] Hostname found in Name Service Cache [ 0] IP Address found in Name Service Cache [ 0] Resolved LDAP servers: 10.1.1.2. Vserver: vserverid [ 1] Successfully connected to ip 10.1.1.2, port 389 using TCP [ 8] Unable to start TLS: Connect error [ 8] Additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (certificate has expired)
- 在名称服务查找期间、secd日志还会显示已过期的证书
[ 10] Unable to start TLS: Connect error [ 10] Additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (certificate has expired)
- 这可能会影响NFS和其他访问、而 这些访问依赖于在名称服务切换中配置 为使用LDAP的(UNIX用户、UNIX组、名称映射、网络组)
- 显示的server-ca证书有效 (未过期)
::*> security certificate show -vserver VSERVER -type server-ca Vserver Serial Number Certificate Name Type ---------- --------------- -------------------------------------- ------------ VSERVER 01234567890ABCDEF01234567890ABCD CERTIFICATENAME server-ca Certificate Authority: CERTIFICATEAUTHORITY Expiration Date: DAY MON DD hh:mm:ss YEAR
- LDAP检查可与通过SSH直接连接到集群中的另一个节点一起使用