Active IQ Unified Manager Discussions

Can't add a cluster

ckeith
20,119 Views

I just installed OCUM 6.1 and I am trying to add some clusters.  I added the first one without a problem, but when I tried to install the second one it complained that the self signed certificate had expired.  Sure enough I logged on to the cluster and the certificate was expired.  I used the following command to create a new certificate:

security certificate create -vserver add-n1-nas2 -common-name add-n1-nas2.cert -expire-days 365 -type server

Unfortunately I still received the error that the certificate was expired.  I figured it was still using the older certificate so I deleted the old one.  Apparently that was a mistake, because now OCUM is simply stating "Cannot establish communication to the host <IP> over SSL".  I tried disabling and enabling the "portal" and "ontapi" web services, (hoping that would restart the web server) all to no avail.

Anyone have any ideas what is going on?  And/or what to look at to figure this out?

Thanks,

Keith

1 ACCEPTED SOLUTION

venkat3
20,119 Views

Hi Keith Cantrell,

Welcome to communities.

Clustered dataontap ssl certificate regeneration procedure is KB'ed here.

https://kb.netapp.com/support/index?page=content&id=S:1014389&actp=LIST&showDraft=true

Please follow exact steps mentioned here.

Do let us know if the above KB isn't helping

-Srinivas

View solution in original post

8 REPLIES 8

venkat3
20,120 Views

Hi Keith Cantrell,

Welcome to communities.

Clustered dataontap ssl certificate regeneration procedure is KB'ed here.

https://kb.netapp.com/support/index?page=content&id=S:1014389&actp=LIST&showDraft=true

Please follow exact steps mentioned here.

Do let us know if the above KB isn't helping

-Srinivas

ckeith
20,119 Views

Yes, thank you!  Following the idea of the KB resolved the issue.  I said "Following the idea" because I assume those instructions were written for 8.1 because they are slightly different for 8.2.  Regardless, it pointed out that I had to enable the "ssl service" after I removed the certificate.

Thanks!

venkat3
20,117 Views

Am glad that you are able to add cluster to ocum 6.1 now.

i will ask the kb team to update the kb article for 8.2 as well.

Thank you for the feedback.

-Srinivas.

AJHunt18
18,639 Views

Hi Venka,

 

I am having a different issue with certificate creation. I am supposed to create a certificate for our storage nodes, but when I use the create certificate commands, I get this error:

 

command failed: cannot store certificate.

 

I do not know what is the cause of the error but these storage nodes are not vservers, and in the KB you sent, certificate creation specifies a vserver:

 

    security certificate create -vserver christoh-svm1 -common-name christoh-svm1.cert -size 2048 -type server -country US -expire-days 3650 -hash-function SHA256

 

Do you have an idea how can I fix this issue?

 

Thank you!

 

Regards,

AJ

Nick_Elliott
18,596 Views

What version of ONTAP?

 

I've been able to execute your syntax on my lab cluster with no issues.

 

Your common-name does not require the .cert extention.  It works but it isn't required here and really doesn't fit the below from the man page:

 

 

-common-name <FQDN or Custom Common Name> - FQDN or Custom Common Name
This specifies the desired certificate name as a fully qualified domain name (FQDN) or custom common name or the name of a person.
 
Try setting expiredays to 3644 or less.  I've seen a release that doesn't like 3690 through the ONTAPI and I assume that it would occur on the command line as well.
 

AJHunt18
18,573 Views

Hi, our ONTAP version is 8.3.1 and by the way, I have managed to fix this problem already.

 

Node certificate is not required in ONTAP 8.3.1, cluster certificate is enough according to this KB: https://kb.netapp.com/support/index?page=content&id=2024831&actp=LIST_RECENT&viewlocale=en_US&searchid=1454560353066

 

Thanks.

BurnsideA
7,995 Views

Guys do we have the link that works for that KB - i can't see it and have a similar issue

Nick_Elliott
18,593 Views

I quickly created this powershell script to reissue expired or expiring certificates after one of my customers had several clusters with expired certs.  Just script out the connections to the clusters and have it call this function once connected and it will push out all the expiration dates.

 

 

#REQUIRES -Version 4.0 -Modules DATAONTAP
function update-netappCertificates{
<#
.SYNOPSIS
	Checks the certificates on a cluster and replaces them if they have expired or expire within N years.

.DESCRIPTION
	Checks the certificates on a cluster and replaces them if they have expired or expire within N years.

.EXAMPLE
    update-netappCertificates -Years 2

.PARAMETER Years
	
.LINK 
    Connect-NcController

.LINK 
    Get-NcSecurityCertificate

.LINK 
    New-NcSecurityCertificate

.LINK 
    Remove-NcSecurityCertificate

#>

	[CmdletBinding()]
	param(
		[Parameter(Mandatory=$True,
		    ValueFromPipeline=$False)]
		    [int]$Years
	)

	BEGIN {
        $ErrorActionPreference = 'stop'
        $today = Get-Date
        $date = $today.AddYears($Years)
        $days = 3644

        Write-verbose "Today is $today"
        Write-verbose "Looking for certificates before $date"
    }
	PROCESS {
        $certificates = Get-NcSecurityCertificate
        
        
        foreach($certificate in $certificates){
            
            if($certificate.expirationDateDT -le $date){
                
                try{
                    
                    New-NcSecurityCertificate -Vserver $certificate.Vserver -CommonName $certificate.CommonName -Type $certificate.Type -Size $certificate.Size -Country $certificate.Country -ExpireDays $days -HashFunction $certificate.HashFunction -Confirm:$false
                    Remove-NcSecurityCertificate -Vserver $certificate.Vserver -CommonName $certificate.CommonName -SerialNumber $certificate.SerialNumber -Type $certificate.Type -CertificateAuthority $certificate.CertificateAuthority -Confirm:$false

                }
                catch {
                    write-debug "error"
                    write-error "something happened"
                    write-error $_
                    
                }

                $newcert = Get-NcSecurityCertificate -Vserver $certificate.Vserver -CommonName $certificate.CommonName -Type $certificate.Type -Size $certificate.Size

                if($newcert){

                    Set-NcSecuritySsl -Vserver $certificate.Vserver -CertificateAuthority $newcert.CertificateAuthority -CertificateSerialNumber $newcert.SerialNumber -EnableClientAuthentication $false -EnableServerAuthentication $true -Confirm:$false | Out-Null
                    
                    write-host "$($certificate.CommonName) on $($certificate.Vserver) serial number $($certificate.SerialNumber) has been replaced by $($newcert.SerialNumber) which will expire $($newcert.ExpirationDateDT)"
                    write-verbose "Certificate $($certificate.CommonName) from vserver $($certificate.Vserver) with expiration of $($certificate.ExpirationDateDT) and serial $($certificate.SerialNumber) has been updated to $($newcert.expirationDateDT) and Serial Number of $($newcert.SerialNumber)"
                    
                }
            }
        
        }

    }
	END {

        

    }
}

 

Public