ONTAP Discussions

SSL certificate problem: self signed certificate in certificate chain

JPick
6,619 Views

We are trying to download firmware on a new 9.7P6  controller.  Here is the error received:  

 

Error: command failed on node xxxx-xx: Download failed. Reason: Failed to download package from dir/netapp/local/dqp04022021/qual_devices.zip. Reason: SSL peer certificate or SSH remote key was not OK: SSL certificate problem: self signed certificate in certificate chain.

 

I looked at certificates, protocols, ciphers....everything looks OK.  Any suggestions?

1 ACCEPTED SOLUTION

CHRISMAKI
6,612 Views

This error sounds like a problem with the host the cluster is trying to connect to and less like a problem with the cluster. What was the command you used to try and grab the new qual_devices.zip?

View solution in original post

8 REPLIES 8

CHRISMAKI
6,613 Views

This error sounds like a problem with the host the cluster is trying to connect to and less like a problem with the cluster. What was the command you used to try and grab the new qual_devices.zip?

JPick
6,607 Views

storage firmware download -node * -package-url https://dir/netapp/local/dqp04022021/qual_devices.zip

 

-Thx

CHRISMAKI
6,606 Views

This is going to try and make an HTTPS request to a host named "dir" which I'm assuming doesn't exist on your network. The command should be:

 

storage firmware download -node * -package-url http://<web-server>/path/qual_devices.zip

 

Where you've replaced <web-server> with a a host that you've uploaded the file to.

CHRISMAKI
6,607 Views

Full instructions can be found here.

JPick
6,605 Views

The command is correct...I was just trying to anonymize the server and path.  I will look upstream at the host.

 

-Thx for your quick responses.

CHRISMAKI
6,600 Views

Is the web server also listening unencrypted on port 80? If so, you could try reverting to HTTP.

TMACMD
6,600 Views

When you see that particular error, you should try HTTP instead of HTTPS.

More than likely you have a certificate that is expired or a problem with a root/int server-ca cert.

tpeter
1,459 Views

Use a https server with eg. Company signed certificate (AD certsrv).

Upload the Company CA root certificate to the Netapp box.

::> security certificate install -vserver [vserver name] -type server-ca

use https to download the firmware from the server 

::> system firmware download -package https://.../.zip 

Also I have put Comany signed certificate on my Netapp boxes.

Hope it helps.

Public