Microsoft Virtualization Discussions

Highlighted

Risk Resolver - Certificate Renew/Recreate

Current Version:  1.5

 

Clustered Data ONTAP (also known as ONTAP) uses self-signed certificates by default for management
of the environment. These certificates have a typical expiration date of 1 year (365 days).
This KB describes the process to recreate the certificates:

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_renew_an_SSL_certificate_in_ONTAP_9

 

This script handles the steps outlined in the article by doing the following:

  • Connecting to a cluster
  • Collecting all existing certificates
  • Ensuring the certificate is self-signed
  • Deletes the self-signed certificate
  • Creates a new certificate with the same properties as the previous one with a 10 year expiration
  • Configures SSL on the SVM to use the new certificate

 

Article link updated by Admin on Sept 29, 2020.

23 REPLIES 23
Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

Updated to 1.1 with some additional prompts prior to recreating certificates.

Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

Updated version to 1.2 to resolve issue with ONTAP 9 and enahancing the checks for self-signed certificates. 

Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

Excellent work, thank you!

Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

Hi

 

Trying to test this at the moment but i getting the following error on the following lines -

 

You cannot call a method on a null-valued expression.
At line:302 char:9
+         $GetCertificateResults = $GetCertificateResults.ToString()

 

and

 

You cannot call a method on a null-valued expression.
At line:304 char:13
+         If ($GetCertificateResults.contains($SerialNumber)) {

 

Do you have any ideas ?

 

Thanks

 

 

===============

 

===============

 

===============

 

 

Edit Ignore This - redownloaded the file and the formatting was fixed.

Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

Sorry I wasn't able to respond earlier.  I saw your edit - are you OK now? 

Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

Getting the same errors as EHooper, unfortunately a redownload didn't correct the issue for me. Any ideas on what could be causing the errors?

 

You cannot call a method on a null-valued expression.
At C:\Users\REDACTED\Downloads\RiskResolverCertificate.ps1:308 char:9
+         $GetCertificateResults = $GetCertificateResults.ToString()
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
You cannot call a method on a null-valued expression.
At C:\Users\REDACTED\Downloads\RiskResolverCertificate.ps1:310 char:13
+         If ($GetCertificateResults.contains($SerialNumber)) {
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

That set of results are achieved from an "Invoke-NcSsh" cmdlet.  Starting in the most recent versions of the NetApp PowerShell Toolkit, Putty version 0.70 is required to run SSH commands.  It isn't exactly clear in the installer, but talks about it in the FAQ.  Can you install that verison of Putty and ensure it is in your path and then attempt the script again?  

Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

Hi

 

You get this error if you open the text file first then then copy it into powershell or ISE. The reason for this is the the line that is below

 

"#sleep between invoke SSH runs to ensure ONTAP is ready"

 

is all bunched up into one line and then the varible will be null because it wont run. When you open the file in ISE originally you will see it like this

 

Line 1 #Only return if shows as self-signed, had to reduce fields for ONTAP to return successfully

 

Line 2 #$GetCertificateCommand = "security certificate show -common-name $CommonName -serial $SerialNumber -ca $CertificateAuthority -type  $Type -size $Size -start $StartDateDT -expiration $ExpirationDateDT -public-cert $PublicCertificate -country $Country -state $State -locality $Locality -organization $Organization -unit $OrganizationUnit -email-addr $EmailAddress -protocol $Protocol -hash-function $HashFunction -self-signed true"       

 

Line 3 - $GetCertificateCommand = "security certificate show -common-name $CommonName -serial $SerialNumber -ca $CertificateAuthority -type  $Type -protocol $Protocol -hash-function $HashFunction -self-signed true"

 

Line - 4 $GetCertificateResults = Invoke-NcSsh $GetCertificateCommand

 

Line - 5 $GetCertificateResults = $GetCertificateResults.ToString()

Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

Also MCGUE

 

i noticed that there was an error on the following line in your original script -

 

#The script will now check if the current cerificate is node specific
            If (($NumberOfNodes -ne 1 -and $Nodes -contains $Vserver) -or ($NumberOfNodes -eq 1 -and $Nodes.Node -eq $Vserver)) {

 

I had to change it to

 

#The script will now check if the current cerificate is node specific
            If (($NumberOfNodes -ne 1 -and $Nodes.node -contains $Vserver) -or ($NumberOfNodes -eq 1 -and $Nodes.Node -eq $Vserver)) {

 

If the .node isnt added it wont pick up the node names when you have multiple nodes. I tested both ways and .nodes wwas the only one that made it work.

Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

Mcgue,

 

Thank you for the reply. Putty 0.70 is installed on my system and I am still encountering the same error. You mentioned that I should ensure that Putty is installed in my path. Is there a specific location that I am supposed to install putty?

Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

 
Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

@EHooper

 

Thanks for digging into that!  That's one of the challenges here is that the community site won't allow .ps1 attachments so it has to be text.  Great work - thanks again.

Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

@mwt

 

Two thinigs.  First to make sure putty is working correctly you can see your PATH statement with the "set" command from the command prompt.  You can also execute "putty.exe" from any directory you are CD'ed into and it should launch.

 

The other thing is look at EHooper's post about issues with copying the script out from a download.  We can only attach txt files so the way you download or copy might have formatting issues when saved as a .ps1.

Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

@EHooper

 

Your note about the command line, are you using version 1.3 of the script?  That is what should be attached here and that line is different in this version (including the difference you noted with the node parameter).

Highlighted

Re: Risk Resolver - Certificate Renew/Recreate

please ignore this reply, sorry.

Check out the KB!
Knowledge Base
All Community Forums