2015-11-20 04:55 AM
our netapp running dataontap 8.3 are to expiring ssl certificates.
I followed those instructions:
- "Installing a server certificate to authenticate the cluster or SVM as an SSL server" (system admin guide x cluster admins 8.3)
- KB ID: 1014389 "How to renew an SSL certificate in clustered Data ONTAP"
using a CA signed certificate (our internal CA).
System manager works fine and is using the correct certificate, but in Ocum albeit it asks me "should I trust the CA" (I answered yes of course) I started getting "Unreachable cluster".
I tried to rediscover the cluster, but the error remains.
Finally I removed the CA-signed certificate and generate a self-signed certificate, and with this one it works fine.
Are there any particular procedure to follow to use CA signed certs?
2015-11-24 03:59 AM
Thanks for reaching out to us. I heard this problem from one of the other customer too.
Can you please provide the following information to diagnose it further:
* Screen shot of the error
* Your actual certificate (If you dont want to share the information over community, please mail me the details to firstname.lastname@example.org.
* Are you using Windows CA server to sign the certificates ? Can you please brief more about the configuration of your CA server.
If it is of high interest to monitor this system from OCUM, you can use HTTP protocol for time being until this issue gets fixed.
2015-11-27 01:00 AM
yes it's a Windows CA, but I found out a strange behaviour: after 24 hours of complaining about "cluster not reachable", suddendly OCUM managed to monitor the cluster and the error went away.
Googling around I read something about session pooling where sessions keeps using old certificate, but I can remember where I read this.
Does it sounds meaningful ?