ONTAP AutoSupport 消息使用 HTTPS 失败:SSL 证书问题
适用于
- ONTAP 9
- AutoSupport 消息的 HTTPS 传输协议
问题描述
- AutoSupport 消息使用 HTTPS 作为传输失败:
::> system node autosupport history show -node node_name -seq-num <seq_num> -instance
Node: node_name
AutoSupport Sequence Number: seq_num
Destination for This AutoSupport: https
Trigger Event: callhome.management.log
Time of Last Update: 1/12/2021 02:58:59
Status of Delivery: transmission-failed
Delivery Attempts: 15
AutoSupport Subject: MANAGEMENT_LOG
Delivery URI: 10.106.130.129:8080(support.netapp.com/put/AsupPut)
Last Error: SSL certificate problem: unable to get local issuer certificate
::> autosupport check show-details -node node_name
Node: node_name
Category: http-https
Component: http-put-destination
Status: failed
Detail: HTTP/S PUT connectivity check failed for destination:
https://support.netapp.com/put/AsupPut/ via proxy -
123.123.123.123:8080. Error: Peer certificate can not be
authenticated with given Certificate Authority
certificates.
Corrective Action: Certificate issue. Please make sure you have the correct
Root Certificate installed
Component: http-post-destination
Status: failed
Detail: HTTP/S POST connectivity check failed for destination:
https://support.netapp.com/asupprod/post/1.0/postAsup
via proxy - 123.123.123.123:8080. Error: Peer certificate
can not be authenticated with given Certificate
Authority certificates.
Corrective Action: Certificate issue. Please make sure you have the correct
Root Certificate installed
- 类似错误消息:
message: SSL certificate problem: self signed certificate in certificate chainError: Peer certificate无法使用给定的进行身份验证Certificate Authority certificates.Error: asup.post.drop: AutoSupport message (HA Group Notification from node01 (USER_TRIGGERED (TEST:Test)) NOTICE) was not posted to NetApp. The system will drop the message.
在
/mroot/etc/log/mlog/notifyd.log中发现的其他错误消息:
::> system node run -node <node_name> -command rdfile /etc/log/mlog/notifyd.log
发生原因
- 位于
support.netapp.com与存储控制器之间的通信路径中间的防火墙或透明代理等网络设备正在拦截 HTTPS 数据包 - 由防火墙或透明代理注入的证书似乎是由
support.netapp.com提供的,但该证书未安装在 ONTAP 的信任存储中。 support.netApp.com需要以下默认签名证书(在信任存储包中预先存在):
::*> security certificate show -vserver <cluster_svm> -common-name AAACertificateServices
Vserver Serial Number Common Name Type
---------- --------------- -------------------------------------- ------------
cluster_svm
01 AAACertificateServices server-ca
Certificate Authority: AAA Certificate Services
Expiration Date: Sun Dec 31 18:59:59 2028
解决方案
- 让您的网络/安全团队收集根 CA 证书并使用
security certificate install将其安装在 ONTAP 中,或者为集群中的每个节点修改代理并设置例外,以禁止代理插入其自己的自签名证书。 例如,SSL 解密插入具有通用名称 palo.tcw.int 的证书,并绕过 support.netapp.com/cn 进行 SSL 解密将阻止 SSL 解密插入其证书。 - 添加
support.netapp.com到代理白名单。 - 如果无法修改代理,则可以禁用证书验证作为临时解决方法
::> system node autosupport modify -node <node_name> -validate-digital-certificate false
support.netapp.com 接收的服务器证书。这是一个临时修复程序,用于恢复 AutoSupport 日志的传送,直到问题得到完全解决。 追加信息
- ONTAP 如何使用 HTTPS 发送 AutoSupport?
- ONTAP AutoSupport 消息使用 HTTPS 失败:error setting certificate verify locations
- 要了解更多关于 AutoSupport 的信息,请参阅 TR-4444 - ONTAP AutoSupport 和 AutoSuport On Demand 配置指南
- 要确认节点是否可以与 NetApp 支持建立 TLS 连接以及证书验证是否成功,您可以执行以下命令:
systemshell -node <nodename> openssl s_client -connect support.netapp.com:443security certificate truststore check -vserver <cluster_name> -server support.netapp.com:443