Solved: Digital AIQUM certificate cannot be deleted

Michael_K · ‎2024-07-12

Dear community,

the following entry can be found in the event log of our FAS2750 (ONTAP 9.13.N)

"mgmtgwd.certificate.expired: A digital certificate with Fully Qualified Domain Name (FQDN) nnnnnnnn-911f-47c7-b1c1-nnnnnnnnnnnn, Serial Number nnnnnnnn, Certificate Authority 'nnnnnnnn-911f-47c7-b1c1-nnnnnnnnnnnn' and type client for Vserver FASxxxxxx has expired."

The certificate has expired and is no longer needed because the affected AIQUM host no longer exists and has been replaced by another one (with new hostname).

The problem is that the certificate cannot be deleted because the old AIQUM host no longer exists:

The certificate could not be removed due to the following conflicts: The certificate issued by "nnnnnnnn-911f-47c7-b1c1-nnnnnnnnnnn" with serial number "nnnnnnnn" is in use by the rest-api EMS destination "hostname-bbbbb-de_server" and cannot be removed.

The listed destination no longer exists - how can I delete the certificate entry anyway?

Any Idea?

Thanks

Best regards

Michael

MarcoLuvisi · ‎2024-07-12

Hello @Michael_K

I think you have configured Event Management System point to old AIQUM, see on "event notification destination" and delete old entry.

Bye.

View solution in original post

MarcoLuvisi · ‎2024-07-12

Hello @Michael_K

I think you have configured Event Management System point to old AIQUM, see on "event notification destination" and delete old entry.

Bye.

Michael_K · ‎2024-07-15

Hello MarcoLuvisi,

Thank you for your answer.

You were right, there were actually two entries in the "event notification destination". One from the old host (asocum01), which no longer exists, and one from the current host (asocum02).

I have deleted the old entry so that only the current entry for the AIQUM host is still included:

FASxxxxx::> event notification destination show
Name Type Destination
-------------- ---------- ---------------------
asocum02-xxxxx-xx_server
rest-api https://asocum02.xxxxx.xx:9443/acq/ontap/ems
snmp-traphost snmp - (from "system snmp traphost")
2 entries were displayed.

FAS27DX1::>

Unfortunately, the outdated/expired client certificate still cannot be deleted. However, the correct host (asocum02) now appears in the error message, previously it was always the no longer existing one (asocum01):

The certificate could not be removed due to the following conflicts: The certificate issued by "xxxxxxxx-911f-xxxx-xxxx-xxxxxxxxxxx" with serial number "1Dxxxxxx" is in use by the rest-api EMS destination "asocum02-xxxxx-xx_server" and cannot be removed.

Here is the expired and current certificate:

FASxxxxx::> security certificate show -common-name xxxxxxxx-911f-xxxx-xxxx-xxxxxxxxxx

Vserver Serial Number Certificate Name Type

---------- --------------- -------------------------------------- ------------

FASxxxxx 1Dxxxxxx xxxxxxxx-911f-xxxx-xxxx-xxxxxxxxxx client

Certificate Authority: xxxxxxxx-911f-xxxx-xxxx-xxxxxxxxxx

Expiration Date: Sun Feb 25 09:40:52 2024

FASxxxxx 4Cxxxxxx xxxxxxxx-911f-xxxx-xxxx-xxxxxxxxxx_4Cxxxxxx

client

Certificate Authority: xxxxxxxx-911f-xxxx-xxxx-xxxxxxxxxx

Expiration Date: Mon May 28 10:23:18 2029

2 entries were displayed.

FASxxxxx::>

So far, everything seems to be working and only the error message about an expired certificate appears every day. Do you have any ideas on how to remove the expired certificate?

Many thanks and best regards

Michael

MarcoLuvisi · ‎2024-07-15

Hello @Michael_K

in my opinion, if it's possible, I would remove the storage from AIQUM and clean up the FAS from certificates and other things pointing to the old AIQUM.
From here: https://docs.netapp.com/us-en/active-iq-unified-manager/index.html search about settings on ONTAP side of AIQUM.