Ask The Experts

SSL certificates that ship with OnTap are expiring. Are they really needed?

Stormont
12,667 Views

Our OnTap 9.5 P3 clusters have started complaining about thre certificates that are going to expire:

 

Jun 9 - 1 times(s): terraba [Terraba-01:mgmtgwd.certificate.expiring:error]: A digital certificate with Fully Qualified Domain Name (FQDN) Class2PrimaryCA, Serial Number 85BD4BF3D8DAE369F694D75FC3A54423, Certificate Authority 'Class 2 Primary CA' and type server-ca for Vserver Terraba will expire in the next 26 day(s). [user.err.3]
Jun 9 - 1 times(s): terraba [Terraba-01:mgmtgwd.certificate.expiring:error]: A digital certificate with Fully Qualified Domain Name (FQDN) DeutscheTelekomRootCA2, Serial Number 26, Certificate Authority 'Deutsche Telekom Root CA 2' and type server-ca for Vserver Terraba will expire in the next 29 day(s). [user.err.3]
Jun 9 - 1 times(s): terraba [Terraba-01:mgmtgwd.certificate.expiring:error]: A digital certificate with Fully Qualified Domain Name (FQDN) UTN-USERFirst-Hardware, Serial Number 44BE0C8B500024B411D3362AFE650AFD, Certificate Authority 'UTN-USERFirst-Hardware' and type server-ca for Vserver Terraba will expire in the next 29 day(s). [user.err.3]

 

 

Those certificates are not ones that we use and we really don't know the best way forward here.  We did open a case and were told to just delete them and create new ones, but the problem is that the "security certificate create" process will only allof for the creation of "server" type certificates while the ones in question are "server-ca" certificates.

 

Are they really needed?  Can they just be deleted and not re-created?

1 ACCEPTED SOLUTION

Kieri
11,565 Views

I saw this on my Netapp and put in a case.  The technician pointed me toward a bug report, the mitigation steps are to delete the expired certificates.    

I wrote down a step-by-step for how I did it (easier to follow than the netapp article) here:  https://www.kieri.com/netapp-3rd-party-ca-certificates-expiring-deutschetelekomrootca2/

View solution in original post

10 REPLIES 10

donny_lang
12,543 Views

These certificates *appear* to be Root CA certificates that are expiring and as far as I can tell are not being renewed, but I have been working with my account team on this exact same issue and am awaiting a response from NetApp as to what the official word will be on these expiring certificates. When I hear back, I'll update this thread with their guidance. 

Stormont
12,536 Views

I had been told to follow the steps in https://kb.netapp.com/app/answers/answer_view/a_id/1032196/loc/en_US#__highlight  (delete the current certificates, then create new ones with the same name/attributes) which just seems weird.  

GidonMarcus
12,359 Views

these certs used for web services (https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-930%2Fvserver__services__web__show.html)  that enabled on the data vserver. if the data vserver dosen't have management LIFs (abd the services will not show in the command above) or you don't have a client that need to access these services directly on the vserver. you can just disable ssl for this vserver and delete the certs.

 

if you want to renew it from external Microsoft CA - see my answer here:

https://community.netapp.com/t5/Data-ONTAP-Discussions/ONTAP-and-Windows-CA-signed-certificate-HOW-TO/td-p/144026

 

alternatively, use the article provided by @Stormont and generate a self singed cert

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

donny_lang
12,270 Views

Guidance from our NetApp SE is that they are not needed (at least for our environment, you'll want to verify in yours) and to let them expire, then delete them a few weeks later once there is no confirmed impact. 

LORENZO_CONTI
12,054 Views

Hello,
according to the KB, do you agree that certificates not shown with "security ssl show" are not in use and can be safely removed?

TMADOCTHOMAS
11,747 Views

I'm somewhat blown away that NetApp hasn't addressed this clearly in a KB article. I just opened a case this morning and the techs I've spoken with so far seem to only be familiar with the SSL renewal process, which we've done. I'm on vacation all week so hopefully I'll get an answer today! Please post if someone has insight on this topic.

Kieri
11,566 Views

I saw this on my Netapp and put in a case.  The technician pointed me toward a bug report, the mitigation steps are to delete the expired certificates.    

I wrote down a step-by-step for how I did it (easier to follow than the netapp article) here:  https://www.kieri.com/netapp-3rd-party-ca-certificates-expiring-deutschetelekomrootca2/

JGRUBERFS
11,434 Views

Interestingly enough it actually prevents you from setting up a new cluster. You get the following error on a brand new system:

 

Vserver Management .Error: Failed to add the Cserver record in RDB . The certificate has expired.

 

I had to put the system date back to 6/1/2019 to create the cluster.

joebutchinski
11,207 Views

They're tracking the setup/upgrade issue in 1250500. Fix versions (9.3P14, 9.5P6, 9.6 GA) should be available next week.

TMADOCTHOMAS
8,277 Views

Question: how will people (such as myself) upgrade to 9.4 before upgrading to 9.5 without a patch for this issue in 9.4 code?

Public