ONTAP Discussions

SSL certificate problem: self signed certificate in certificate chain

JPick
6,624 Views

We are trying to download firmware on a new 9.7P6  controller.  Here is the error received:  

 

Error: command failed on node xxxx-xx: Download failed. Reason: Failed to download package from dir/netapp/local/dqp04022021/qual_devices.zip. Reason: SSL peer certificate or SSH remote key was not OK: SSL certificate problem: self signed certificate in certificate chain.

 

I looked at certificates, protocols, ciphers....everything looks OK.  Any suggestions?

1 ACCEPTED SOLUTION

CHRISMAKI
6,617 Views

This error sounds like a problem with the host the cluster is trying to connect to and less like a problem with the cluster. What was the command you used to try and grab the new qual_devices.zip?

View solution in original post

8 REPLIES 8

CHRISMAKI
6,618 Views

This error sounds like a problem with the host the cluster is trying to connect to and less like a problem with the cluster. What was the command you used to try and grab the new qual_devices.zip?

JPick
6,612 Views

storage firmware download -node * -package-url https://dir/netapp/local/dqp04022021/qual_devices.zip

 

-Thx

CHRISMAKI
6,611 Views

This is going to try and make an HTTPS request to a host named "dir" which I'm assuming doesn't exist on your network. The command should be:

 

storage firmware download -node * -package-url http://<web-server>/path/qual_devices.zip

 

Where you've replaced <web-server> with a a host that you've uploaded the file to.

CHRISMAKI
6,612 Views

Full instructions can be found here.

JPick
6,610 Views

The command is correct...I was just trying to anonymize the server and path.  I will look upstream at the host.

 

-Thx for your quick responses.

CHRISMAKI
6,605 Views

Is the web server also listening unencrypted on port 80? If so, you could try reverting to HTTP.

TMACMD
6,605 Views

When you see that particular error, you should try HTTP instead of HTTPS.

More than likely you have a certificate that is expired or a problem with a root/int server-ca cert.

tpeter
1,464 Views

Use a https server with eg. Company signed certificate (AD certsrv).

Upload the Company CA root certificate to the Netapp box.

::> security certificate install -vserver [vserver name] -type server-ca

use https to download the firmware from the server 

::> system firmware download -package https://.../.zip 

Also I have put Comany signed certificate on my Netapp boxes.

Hope it helps.

Public