Active IQ Unified Manager Discussions

Digital AIQUM certificate cannot be deleted

Michael_K
50,667 Views

Dear community,

the following entry can be found in the event log of our FAS2750 (ONTAP 9.13.N)

"mgmtgwd.certificate.expired: A digital certificate with Fully Qualified Domain Name (FQDN) nnnnnnnn-911f-47c7-b1c1-nnnnnnnnnnnn, Serial Number nnnnnnnn, Certificate Authority 'nnnnnnnn-911f-47c7-b1c1-nnnnnnnnnnnn' and type client for Vserver FASxxxxxx has expired."

 

The certificate has expired and is no longer needed because the affected AIQUM host no longer exists and has been replaced by another one (with new hostname).

 

The problem is that the certificate cannot be deleted because the old AIQUM host no longer exists:

 

The certificate could not be removed due to the following conflicts: The certificate issued by "nnnnnnnn-911f-47c7-b1c1-nnnnnnnnnnn" with serial number "nnnnnnnn" is in use by the rest-api EMS destination "hostname-bbbbb-de_server" and cannot be removed.

 

The listed destination no longer exists - how can I delete the certificate entry anyway?

 

Any Idea?

 

Thanks

Best regards

 

Michael

 

1 ACCEPTED SOLUTION

MarcoLuvisi
50,614 Views

Hello @Michael_K 

I think you have configured Event Management System point to old AIQUM, see on "event notification destination" and delete old entry.

Bye.

View solution in original post

3 REPLIES 3

MarcoLuvisi
50,615 Views

Hello @Michael_K 

I think you have configured Event Management System point to old AIQUM, see on "event notification destination" and delete old entry.

Bye.

Michael_K
50,465 Views

Hello MarcoLuvisi,

 

Thank you for your answer.

 

You were right, there were actually two entries in the "event notification destination". One from the old host (asocum01), which no longer exists, and one from the current host (asocum02).

 

I have deleted the old entry so that only the current entry for the AIQUM host is still included:

 

FASxxxxx::> event notification destination show
Name Type Destination
-------------- ---------- ---------------------
asocum02-xxxxx-xx_server
rest-api https://asocum02.xxxxx.xx:9443/acq/ontap/ems
snmp-traphost snmp - (from "system snmp traphost")
2 entries were displayed.

FAS27DX1::>

 

Unfortunately, the outdated/expired client certificate still cannot be deleted. However, the correct host (asocum02) now appears in the error message, previously it was always the no longer existing one (asocum01):

The certificate could not be removed due to the following conflicts: The certificate issued by "xxxxxxxx-911f-xxxx-xxxx-xxxxxxxxxxx" with serial number "1Dxxxxxx" is in use by the rest-api EMS destination "asocum02-xxxxx-xx_server" and cannot be removed.

 

Here is the expired and current certificate:

 

FASxxxxx::> security certificate show -common-name xxxxxxxx-911f-xxxx-xxxx-xxxxxxxxxx

Vserver    Serial Number   Certificate Name                       Type

---------- --------------- -------------------------------------- ------------

FASxxxxx   1Dxxxxxx        xxxxxxxx-911f-xxxx-xxxx-xxxxxxxxxx   client

    Certificate Authority: xxxxxxxx-911f-xxxx-xxxx-xxxxxxxxxx

          Expiration Date: Sun Feb 25 09:40:52 2024

 

FASxxxxx   4Cxxxxxx        xxxxxxxx-911f-xxxx-xxxx-xxxxxxxxxx_4Cxxxxxx

                                                                  client

    Certificate Authority: xxxxxxxx-911f-xxxx-xxxx-xxxxxxxxxx

          Expiration Date: Mon May 28 10:23:18 2029

2 entries were displayed.

FASxxxxx::>

 

So far, everything seems to be working and only the error message about an expired certificate appears every day. Do you have any ideas on how to remove the expired certificate?

Many thanks and best regards

Michael

MarcoLuvisi
50,462 Views

Hello @Michael_K 

in my opinion, if it's possible, I would remove the storage from AIQUM and clean up the FAS from certificates and other things pointing to the old AIQUM.
From here: https://docs.netapp.com/us-en/active-iq-unified-manager/index.html search about settings on ONTAP side of AIQUM.

Public