ONTAP Discussions

SSL certificate problem: self signed certificate in certificate chain

JPick
10,491 Views

We are trying to download firmware on a new 9.7P6  controller.  Here is the error received:  

 

Error: command failed on node xxxx-xx: Download failed. Reason: Failed to download package from dir/netapp/local/dqp04022021/qual_devices.zip. Reason: SSL peer certificate or SSH remote key was not OK: SSL certificate problem: self signed certificate in certificate chain.

 

I looked at certificates, protocols, ciphers....everything looks OK.  Any suggestions?

1 ACCEPTED SOLUTION

CHRISMAKI
10,484 Views

This error sounds like a problem with the host the cluster is trying to connect to and less like a problem with the cluster. What was the command you used to try and grab the new qual_devices.zip?

View solution in original post

8 REPLIES 8

CHRISMAKI
10,485 Views

This error sounds like a problem with the host the cluster is trying to connect to and less like a problem with the cluster. What was the command you used to try and grab the new qual_devices.zip?

JPick
10,475 Views

storage firmware download -node * -package-url https://dir/netapp/local/dqp04022021/qual_devices.zip

 

-Thx

CHRISMAKI
10,474 Views

This is going to try and make an HTTPS request to a host named "dir" which I'm assuming doesn't exist on your network. The command should be:

 

storage firmware download -node * -package-url http://<web-server>/path/qual_devices.zip

 

Where you've replaced <web-server> with a a host that you've uploaded the file to.

CHRISMAKI
10,475 Views

Full instructions can be found here.

JPick
10,473 Views

The command is correct...I was just trying to anonymize the server and path.  I will look upstream at the host.

 

-Thx for your quick responses.

CHRISMAKI
10,468 Views

Is the web server also listening unencrypted on port 80? If so, you could try reverting to HTTP.

TMACMD
10,468 Views

When you see that particular error, you should try HTTP instead of HTTPS.

More than likely you have a certificate that is expired or a problem with a root/int server-ca cert.

tpeter
5,327 Views

Use a https server with eg. Company signed certificate (AD certsrv).

Upload the Company CA root certificate to the Netapp box.

::> security certificate install -vserver [vserver name] -type server-ca

use https to download the firmware from the server 

::> system firmware download -package https://.../.zip 

Also I have put Comany signed certificate on my Netapp boxes.

Hope it helps.

Public