Solved: Re: SSL certificates that ship with OnTap are expiring. Are they really needed?

Stormont · ‎2019-06-14

Our OnTap 9.5 P3 clusters have started complaining about thre certificates that are going to expire:

Jun 9 - 1 times(s): terraba [Terraba-01:mgmtgwd.certificate.expiring:error]: A digital certificate with Fully Qualified Domain Name (FQDN) Class2PrimaryCA, Serial Number 85BD4BF3D8DAE369F694D75FC3A54423, Certificate Authority 'Class 2 Primary CA' and type server-ca for Vserver Terraba will expire in the next 26 day(s). [user.err.3]
Jun 9 - 1 times(s): terraba [Terraba-01:mgmtgwd.certificate.expiring:error]: A digital certificate with Fully Qualified Domain Name (FQDN) DeutscheTelekomRootCA2, Serial Number 26, Certificate Authority 'Deutsche Telekom Root CA 2' and type server-ca for Vserver Terraba will expire in the next 29 day(s). [user.err.3]
Jun 9 - 1 times(s): terraba [Terraba-01:mgmtgwd.certificate.expiring:error]: A digital certificate with Fully Qualified Domain Name (FQDN) UTN-USERFirst-Hardware, Serial Number 44BE0C8B500024B411D3362AFE650AFD, Certificate Authority 'UTN-USERFirst-Hardware' and type server-ca for Vserver Terraba will expire in the next 29 day(s). [user.err.3]

Those certificates are not ones that we use and we really don't know the best way forward here. We did open a case and were told to just delete them and create new ones, but the problem is that the "security certificate create" process will only allof for the creation of "server" type certificates while the ones in question are "server-ca" certificates.

Are they really needed? Can they just be deleted and not re-created?

Kieri · ‎2019-07-07

I saw this on my Netapp and put in a case. The technician pointed me toward a bug report, the mitigation steps are to delete the expired certificates.

I wrote down a step-by-step for how I did it (easier to follow than the netapp article) here: https://www.kieri.com/netapp-3rd-party-ca-certificates-expiring-deutschetelekomrootca2/

View solution in original post

donny_lang · ‎2019-06-14

These certificates *appear* to be Root CA certificates that are expiring and as far as I can tell are not being renewed, but I have been working with my account team on this exact same issue and am awaiting a response from NetApp as to what the official word will be on these expiring certificates. When I hear back, I'll update this thread with their guidance.

Stormont · ‎2019-06-14

I had been told to follow the steps in https://kb.netapp.com/app/answers/answer_view/a_id/1032196/loc/en_US#__highlight (delete the current certificates, then create new ones with the same name/attributes) which just seems weird.

GidonMarcus · ‎2019-06-16

these certs used for web services (https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-930%2Fvserver__services__web__show.html) that enabled on the data vserver. if the data vserver dosen't have management LIFs (abd the services will not show in the command above) or you don't have a client that need to access these services directly on the vserver. you can just disable ssl for this vserver and delete the certs.

if you want to renew it from external Microsoft CA - see my answer here:

https://community.netapp.com/t5/Data-ONTAP-Discussions/ONTAP-and-Windows-CA-signed-certificate-HOW-TO/td-p/144026

alternatively, use the article provided by @Stormont and generate a self singed cert

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

donny_lang · ‎2019-06-17

Guidance from our NetApp SE is that they are not needed (at least for our environment, you'll want to verify in yours) and to let them expire, then delete them a few weeks later once there is no confirmed impact.

LORENZO_CONTI · ‎2019-06-21

Hello,
according to the KB, do you agree that certificates not shown with "security ssl show" are not in use and can be safely removed?

TMADOCTHOMAS · ‎2019-06-28

I'm somewhat blown away that NetApp hasn't addressed this clearly in a KB article. I just opened a case this morning and the techs I've spoken with so far seem to only be familiar with the SSL renewal process, which we've done. I'm on vacation all week so hopefully I'll get an answer today! Please post if someone has insight on this topic.

Kieri · ‎2019-07-07

I saw this on my Netapp and put in a case. The technician pointed me toward a bug report, the mitigation steps are to delete the expired certificates.

I wrote down a step-by-step for how I did it (easier to follow than the netapp article) here: https://www.kieri.com/netapp-3rd-party-ca-certificates-expiring-deutschetelekomrootca2/

JGRUBERFS · ‎2019-07-08

Interestingly enough it actually prevents you from setting up a new cluster. You get the following error on a brand new system:

Vserver Management .Error: Failed to add the Cserver record in RDB . The certificate has expired.

I had to put the system date back to 6/1/2019 to create the cluster.

joebutchinski · ‎2019-07-12

They're tracking the setup/upgrade issue in 1250500. Fix versions (9.3P14, 9.5P6, 9.6 GA) should be available next week.

TMADOCTHOMAS · ‎2019-07-17

Question: how will people (such as myself) upgrade to 9.4 before upgrading to 9.5 without a patch for this issue in 9.4 code?