使用HTTPS时ONTAP AutoSupport消息失败:ssl证书问题
适用场景
- ONTAP 9
- 用于AutoSupport消息的HTTPS传输协议
问题描述
- 使用HTTPS作为传输的AutoSupport消息失败:
::> system node autosupport history show -node node_name -seq-num <seq_num> -instance
Node: node_name
AutoSupport Sequence Number: seq_num
Destination for This AutoSupport: https
Trigger Event: callhome.management.log
Time of Last Update: 1/12/2021 02:58:59
Status of Delivery: transmission-failed
Delivery Attempts: 15
AutoSupport Subject: MANAGEMENT_LOG
Delivery URI: 10.106.130.129:8080(support.netapp.com/put/AsupPut)
Last Error: SSL certificate problem: unable to get local issuer certificate
::> autosupport check show-details -node node_name
Node: node_name
Category: http-https
Component: http-put-destination
Status: failed
Detail: HTTP/S PUT connectivity check failed for destination:
https://support.netapp.com/put/AsupPut/ via proxy -
123.123.123.123:8080. Error: Peer certificate can not be
authenticated with given Certificate Authority
certificates.
Corrective Action: Certificate issue. Please make sure you have the correct
Root Certificate installed
Component: http-post-destination
Status: failed
Detail: HTTP/S POST connectivity check failed for destination:
https://support.netapp.com/asupprod/post/1.0/postAsup
via proxy - 123.123.123.123:8080. Error: Peer certificate
can not be authenticated with given Certificate
Authority certificates.
Corrective Action: Certificate issue. Please make sure you have the correct
Root Certificate installed
- 类似的错误消息:
message: SSL certificate problem: self signed certificate in certificate chainError: Peer certificate无法使用给定进行身份验证Certificate Authority certificates.Error: asup.post.drop: AutoSupport message (HA Group Notification from node01 (USER_TRIGGERED (TEST:Test)) NOTICE) was not posted to NetApp. The system will drop the message.
在
/mroot/etc/log/mlog/notifyd.log中发现其他错误消息:
::> system node run -node <node_name> -command rdfile /etc/log/mlog/notifyd.log
发生原因
- 位于
support.netapp.com与存储控制器之间通信路径中间的防火墙或透明代理等网络设备正在截获 HTTPS 数据包 - 防火墙或透明代理载入的证书似乎是由
support.netapp.com提供的,但该证书未安装在ONTAP的信任存储库中。 support.netApp.com需要以下默认签名证书 (已存在于信任存储库包中):
::*> security certificate show -vserver <cluster_svm> -common-name AAACertificateServices
Vserver Serial Number Common Name Type
---------- --------------- -------------------------------------- ------------
cluster_svm
01 AAACertificateServices server-ca
Certificate Authority: AAA Certificate Services
Expiration Date: Sun Dec 31 18:59:59 2028
解决方案
- 请联系您的网络/安全团队收集root-ca证书并使用
security certificate install将其安装在ONTAP中,或者修改代理(集群中每个节点除外)以禁止代理插入自己的自签名证书。 例如、SSL解密插入公用名为palo.tcw.int的证书、而绕过support.ssl.com进行解密将阻止NetApp解密插入其证书。 - 将
support.netapp.com添加到代理白单。 - 如果无法修改此代理、则可以将 证书验证作为临时临时解决策禁用
::> system node autosupport modify -node <node_name> -validate-digital-certificate false
support.netapp.com 收到的服务器证书。这是一个临时修复程序、用于恢复传输AutoSupport日志、直到完全解析问题描述为止。