Microsoft Virtualization Discussions

Expired certificates causing NetApp.ONTAP PSTK 9.13.1 install to fail

KevinMDavis
5,380 Views

We are moving a Workday environment and it's dependent upon using the PSTK commandlets for all user provisioning, onboarding and offboarding. PS v. 5.1, PSTK 9.13.1. 
We cannot install any version without hitting the same error.  It appears all the PSTK downloads are shipping with expired certs.  The certs expired 2 days ago on 10/13:
certs-expirted.png

 

PS C:\Windows\system32> install-module Netapp.Ontap -force -scope AllUsers

PackageManagement\Install-Package : The module 'NetApp.ONTAP' cannot be installed or updated because the authenticode

signature of the file 'NetApp.ONTAP.psd1' is not valid.

At C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1809 char:21

+ ... $null = PackageManagement\Install-Package @PSBoundParameters

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package],

Exception

+ FullyQualifiedErrorId : InvalidAuthenticodeSignature,ValidateAndGet-AuthenticodeSignature,Microsoft.PowerShell.P

ackageManagement.Cmdlets.InstallPackage

Failed to install or import required PSModules The following error occurred while loading the extended type data file: , C:\Program Files (x86)\WindowsPowerShell\Modules\NetApp.ONTAP\9.13.1.2306\DataONTAP.Type.ps1xml: The file was skipped because of the following validation exception: File C:\Program Files (x86)\WindowsPowerShell\Modules\NetApp.ONTAP\9.13.1.2306\DataONTAP.Type.ps1xml cannot be loaded. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file..

, C:\Program Files (x86)\WindowsPowerShell\Modules\NetApp.ONTAP\9.13.1.2306\DataONTAP.C.Type.ps1xml: The file was skipped because of the following validation exception: File C:\Program Files (x86)\WindowsPowerShell\Modules\NetApp.ONTAP\9.13.1.2306\DataONTAP.C.Type.ps1xml cannot be loaded. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file..

1 ACCEPTED SOLUTION

saharsh
4,782 Views

Hi Team,
The certificate on Toolchest has been renewed, and the toolkit is now functioning properly. We kindly invite you to download it from the link below.

 

https://mysupport.netapp.com/site/tools/tool-eula/ontap-powershell-toolkit/download


Additionally, we will be addressing this issue on the PowerShell Gallery as well.

Thank you for your understanding.

 

View solution in original post

30 REPLIES 30

KevinMDavis
4,383 Views

Really, it appears that the developers here have missed the expiry on these certs, and need to issue new ones that need to be part of all the version downloads.  It's hard to imagine that we're the only environment enforcing code-signing.

psx
NetApp
4,272 Views

You are not.

 

A customer of mine is facing the same...er...challenge.

 

Please open a case, I will let them do the same.

psx
NetApp
4,223 Views

Rumor has it, that NetApp is aware of the issue and are actively working on a resolution.
As a workaround please download the PSTK from the support page (<https://mysupport.netapp.com/site/tools/tool-eula/ontap-powershell-toolkit>), don't use the MS PowerShell gallery version.

KevinMDavis
4,209 Views

Thanks, psx.

But, we had already tried the version from the support page in addition to the PowerShell Gallery version. Tried 9.15 as well....
We'll await notification from the devs that this is done.  But man, if they're going to let these expire, releasing current code with a cert expiration that's looming is a big miss on their part, QA-wise.

psx
NetApp
4,207 Views

Hi Kevin,

 

just back from testing the support page version, and you are correct, of course. The certificate is the same expired one.

Let's hope for a quick fix.

WhollyJoe
4,203 Views

I agree that one can 'get' the PSTK files from the support site, but alas, as of now it is still signed using the cert that expired on 10/13/2024. 

brnosanse
4,126 Views

Spent half day to figure this out... Just to find your discussion... I mean, everything is so "secure" these days, that everyone has to waste time on totally useless troubleshooting.
Corporate like Netapp should do better than this.
Not to mention that I really fear what will happen after the powershell is discontinued, I have thousands of lines of automation, hope for some good AI to "translate" by that time 😄
It is disaster that it will not work the same anymore...

KevinMDavis
4,124 Views

I hear you.  I can't imagine (ok, I can), that NetApp would simply shelve and stop maintaining the PSTK.  At the least, I would hope they'd totally open-source it so it could maintained by the "community".  As it is they've abdicated supporting it to the community, so they really ought to hand over the whole thing. Good luck on the AI solution; I can only speak for ChatGPT, which I spend more time correcting and teaching it then it does providing me with usable code.

AndrewPDX
4,072 Views

Running into this issue as well, glad I found this thread before continuing to bang my head on our modules trying to figure out why they weren't working. Subscribed in the hopes that they push out a fix soon..

KevinMDavis
4,064 Views

We opened a support case yesterday, and escalated it today (because, surprise surprise, despite it being a P2 by 13:45 ET today we'd rec'd zero response).  After escalation, we were told the PSTK development team was made aware and it had eyes on it.

Given that this is essentially and easy fix (generate a new cert; sign the code with it; upload the new versions to the Support Site and PowerShell Gallery), we expect tomorrow. 🤞

AndrewPDX
4,057 Views

Great to hear! Thanks for jumping on this, fingers crossed for an update tomorrow. 

Sanaman
4,000 Views

This is for my information only.

 

I am running PS 7.4.5 and I don't have any issues installing PSTK 9.13.1.2306. In fact, I am running PSTK more then 2months now. What is the cert issue?

 

Scripts> get-natoolkitversion

Major Minor Build Revision
----- ----- ----- --------
9 13 1 2306

 

Thanks

 

KevinMDavis
3,363 Views

Typically this breaks when you're working in an environment that enforces code signing (if you're not, you oughta be looking into that...).  PS tools are widely available, and to consider that malicious code could sneak into a public download is hardly outside the realm of possibility in this day and age.

saharsh
3,936 Views
The certificates for PSTK are currently being renewed in preparation for the upcoming 9.16.1 release.
 
We are actively working on a resolution.
 
As workaround please PowerShell in administrator mode and execute the command `Set-ExecutionPolicy Unrestricted` to allow the package to run without errors.

scalhoon
327 Views

What makes this problem worse is that the certificate that signed 9.14, and previous versions, is currently expired on the repository and did not include a timestamp server, so rolling back to any previous version is not possible unless you have your Execution Policy set to Unrestricted, which will ignore issue code-signing issues. The current guidance provided by NetApp regarding the expired code-signing certificate is to ignore code-signing with the Unrestricted policy, or download the code from NetApp support, however NetApp support only provides the latest 9.15 version containing the transient flag bug. Our company enforces code-signing, so setting the Execution Policy to Unrestricted is not an option.

 

Hey NetApp, next time you code-sign something, include a timestamp server, so the signature is not invalidated when your code signing certificate expires, since the timestamp server proves the signature was created when the certificate was valid, thus the signature stays valid even after the code-signing certificate expires.

 

I worked around this by downloading the nuget 'nupkg' file for the 9.14.1.2401 version from the manual tab on the repository page, which is just a renamed .zip file. I extraced everything to "C:\Program Files\WindowsPowerShell\Modules\NetApp.ONTAP\9.14.1.2401", minus the nuget specific folders: package, webhelp, webhelp.C, and _rels. I also did not extract the [Content_Types].xml file.

2024-11-15_15-44-25.jpg

saharsh
4,783 Views

Hi Team,
The certificate on Toolchest has been renewed, and the toolkit is now functioning properly. We kindly invite you to download it from the link below.

 

https://mysupport.netapp.com/site/tools/tool-eula/ontap-powershell-toolkit/download


Additionally, we will be addressing this issue on the PowerShell Gallery as well.

Thank you for your understanding.

 

brnosanse
3,751 Views

Hello, is there a way to download old version - 9.10.1.2111?

I need old version because it is last version which working with my scripts since Netapp (to my annoyance) changed commands and many does not work without some special switches such as -ONTAPI or -ZAPICALL or such (I don’t remember exactly).

I have thousands of lines of automation which I will be throwing out later (probably resigning my position also, because without this automation I am unable to manage 150+ systems)

saharsh
3,457 Views

We'll provide the new release for 9.10.1.2111 also

MartinKøhrsen
3,739 Views

When can we expect powershell gallery to be updated ?

MartinKøhrsen
3,738 Views

Additionally, i would not consider this issue "fixed", when the public powershell gallery download part is not yet fixed...

Public