尽管 truststore 中存在 root-ca ,但对象存储证书验证仍失败
适用场景
- ONTAP 9
- FabricPool
- S3 证书验证
问题描述
- 如果为 FabricPool 聚合启用了证书验证,则证书验证将失败:
myclus::> aggregate object-store config modify -object-store-name my-obj-store-cfg -is-certificate-validation-enabled true Warning: Modifying the server, port, IPspace, SSL-enabled state, or SSL/TLS certificate validation will disrupt object store access for several seconds. Do you want to continue? {y|n}: y Error: command failed: Cannot verify availability of the object store from node myclus-node-01. Reason: Cannot verify the certificate given by the object store server. It is possible that the certificate has not been installed on the cluster. Use the 'security certificate install -type server-ca' command to install it..
- 用于签署 S3 端点服务器证书的证书颁发机构将在
server-ca
FabricPool 集群管理 -vserver 信任存储下注册为类型,因此上述错误毫无意义:
myclus::> security certificate truststore check -vserver myclus -server somebucket.company.local
CA certificate with cert-name "fabricpool-ca_cert" is already installed. Use "security certificate show -cert-name fabricpool-ca_cert" to see the details of the CA certificate.
::> security certificate show -cert-name fabricpool-ca_cert
Vserver Serial Number Certificate Name Type
---------- --------------- -------------------------------------- ------------
myclus 1234567890 fabricpool_ca_cert server-ca
Certificate Authority: company_rootca
Expiration Date: Fri May 13 13:13:13 2032