topic Re: Can't add a cluster in Active IQ Unified Manager Discussions

Can't add a cluster

ckeith — Thu, 01 May 2014 22:39:50 GMT

I just installed OCUM 6.1 and I am trying to add some clusters. I added the first one without a problem, but when I tried to install the second one it complained that the self signed certificate had expired. Sure enough I logged on to the cluster and the certificate was expired. I used the following command to create a new certificate:

security certificate create -vserver add-n1-nas2 -common-name add-n1-nas2.cert -expire-days 365 -type server

Unfortunately I still received the error that the certificate was expired. I figured it was still using the older certificate so I deleted the old one. Apparently that was a mistake, because now OCUM is simply stating "Cannot establish communication to the host <IP> over SSL". I tried disabling and enabling the "portal" and "ontapi" web services, (hoping that would restart the web server) all to no avail.

Anyone have any ideas what is going on? And/or what to look at to figure this out?

Thanks,

Keith

Re: Can't add a cluster

venkat3 — Fri, 02 May 2014 04:58:24 GMT

Hi Keith Cantrell,

Welcome to communities.

Clustered dataontap ssl certificate regeneration procedure is KB'ed here.

https://kb.netapp.com/support/index?page=content&id=S:1014389&actp=LIST&showDraft=true

Please follow exact steps mentioned here.

Do let us know if the above KB isn't helping

-Srinivas

Re: Can't add a cluster

ckeith — Fri, 02 May 2014 13:34:19 GMT

Yes, thank you! Following the idea of the KB resolved the issue. I said "Following the idea" because I assume those instructions were written for 8.1 because they are slightly different for 8.2. Regardless, it pointed out that I had to enable the "ssl service" after I removed the certificate.

Thanks!

Re: Can't add a cluster

venkat3 — Fri, 02 May 2014 14:57:56 GMT

Am glad that you are able to add cluster to ocum 6.1 now.

i will ask the kb team to update the kb article for 8.2 as well.

Thank you for the feedback.

-Srinivas.

Re: Can't add a cluster

AJHunt18 — Thu, 04 Feb 2016 03:11:50 GMT

Hi Venka,

I am having a different issue with certificate creation. I am supposed to create a certificate for our storage nodes, but when I use the create certificate commands, I get this error:

command failed: cannot store certificate.

I do not know what is the cause of the error but these storage nodes are not vservers, and in the KB you sent, certificate creation specifies a vserver:

security certificate create -vserver christoh-svm1 -common-name christoh-svm1.cert -size 2048 -type server -country US -expire-days 3650 -hash-function SHA256

Do you have an idea how can I fix this issue?

Thank you!

Regards,

Re: Can't add a cluster

Nick_Elliott — Thu, 11 Feb 2016 22:08:48 GMT

What version of ONTAP?

I've been able to execute your syntax on my lab cluster with no issues.

Your common-name does not require the .cert extention. It works but it isn't required here and really doesn't fit the below from the man page:

-common-name <FQDN or Custom Common Name> - FQDN or Custom Common Name
This specifies the desired certificate name as a fully qualified domain name (FQDN) or custom common name or the name of a person.

Try setting expiredays to 3644 or less. I've seen a release that doesn't like 3690 through the ONTAPI and I assume that it would occur on the command line as well.

Re: Can't add a cluster

Nick_Elliott — Thu, 11 Feb 2016 22:19:17 GMT

I quickly created this powershell script to reissue expired or expiring certificates after one of my customers had several clusters with expired certs. Just script out the connections to the clusters and have it call this function once connected and it will push out all the expiration dates.

#REQUIRES -Version 4.0 -Modules DATAONTAP
function update-netappCertificates{
<#
.SYNOPSIS
	Checks the certificates on a cluster and replaces them if they have expired or expire within N years.

.DESCRIPTION
	Checks the certificates on a cluster and replaces them if they have expired or expire within N years.

.EXAMPLE
    update-netappCertificates -Years 2

.PARAMETER Years
	
.LINK 
    Connect-NcController

.LINK 
    Get-NcSecurityCertificate

.LINK 
    New-NcSecurityCertificate

.LINK 
    Remove-NcSecurityCertificate

#>

	[CmdletBinding()]
	param(
		[Parameter(Mandatory=$True,
		    ValueFromPipeline=$False)]
		    [int]$Years
	)

	BEGIN {
        $ErrorActionPreference = 'stop'
        $today = Get-Date
        $date = $today.AddYears($Years)
        $days = 3644

        Write-verbose "Today is $today"
        Write-verbose "Looking for certificates before $date"
    }
	PROCESS {
        $certificates = Get-NcSecurityCertificate
        
        
        foreach($certificate in $certificates){
            
            if($certificate.expirationDateDT -le $date){
                
                try{
                    
                    New-NcSecurityCertificate -Vserver $certificate.Vserver -CommonName $certificate.CommonName -Type $certificate.Type -Size $certificate.Size -Country $certificate.Country -ExpireDays $days -HashFunction $certificate.HashFunction -Confirm:$false
                    Remove-NcSecurityCertificate -Vserver $certificate.Vserver -CommonName $certificate.CommonName -SerialNumber $certificate.SerialNumber -Type $certificate.Type -CertificateAuthority $certificate.CertificateAuthority -Confirm:$false

                }
                catch {
                    write-debug "error"
                    write-error "something happened"
                    write-error $_
                    
                }

                $newcert = Get-NcSecurityCertificate -Vserver $certificate.Vserver -CommonName $certificate.CommonName -Type $certificate.Type -Size $certificate.Size

                if($newcert){

                    Set-NcSecuritySsl -Vserver $certificate.Vserver -CertificateAuthority $newcert.CertificateAuthority -CertificateSerialNumber $newcert.SerialNumber -EnableClientAuthentication $false -EnableServerAuthentication $true -Confirm:$false | Out-Null
                    
                    write-host "$($certificate.CommonName) on $($certificate.Vserver) serial number $($certificate.SerialNumber) has been replaced by $($newcert.SerialNumber) which will expire $($newcert.ExpirationDateDT)"
                    write-verbose "Certificate $($certificate.CommonName) from vserver $($certificate.Vserver) with expiration of $($certificate.ExpirationDateDT) and serial $($certificate.SerialNumber) has been updated to $($newcert.expirationDateDT) and Serial Number of $($newcert.SerialNumber)"
                    
                }
            }
        
        }

    }
	END {

        

    }
}

Re: Can't add a cluster

AJHunt18 — Fri, 12 Feb 2016 09:52:02 GMT

Hi, our ONTAP version is 8.3.1 and by the way, I have managed to fix this problem already.

Node certificate is not required in ONTAP 8.3.1, cluster certificate is enough according to this KB: https://kb.netapp.com/support/index?page=content&id=2024831&actp=LIST_RECENT&viewlocale=en_US&searchid=1454560353066

Thanks.

Re: Can't add a cluster

BurnsideA — Thu, 16 Jul 2020 11:03:35 GMT

Guys do we have the link that works for that KB - i can't see it and have a similar issue