ONTAP Discussions

security certificate install

ChrisV1
hello , following the procedure in the documentation for installing a certificate to a cluster, the certificate appears to be installed when running the code, but when checking on the storage for the certificate it is in fact not installed https://library.netapp.com/ecmdocs/ECMLP2858435/html/resources/security_certificate.html#netapp_ontap.resources.security_certificate.SecurityCertifica... as you can see the running code is the same as in the documentation: from netapp_ontap import HostConnection from netapp_ontap.resources import SecurityCertificate from netapp_ontap import NetAppResponse from netapp_ontap.error import NetAppRestError from netapp_ontap.resources import svm with HostConnection(host="xxxxx" , username="xxxxx", password="xxxxx",verify=False): resource = SecurityCertificate() resource.type = 'server_ca' resource.scope = 'cluster' resource.public_certificate = ( '-----BEGIN CERTIFICATE-----' 'xxxxxxxxxxxxxcertxxxxxxxxxx' '-----END CERTIFICATE-----' ) resource.post#(hydrate=True)
1 ACCEPTED SOLUTION

RobertBlackhart

Thanks for providing that. So the issue is that there is a formatting problem with your certificate which is what the server responded with. That's why after the call it's not present on the cluster.

 

It looks like your certificate string is missing line breaks encoded in the string. Try adding a \n to the end of each line of the string.

View solution in original post

12 REPLIES 12

RobertBlackhart

This example script might help you: https://github.com/NetApp/ontap-rest-python/blob/master/examples/python_client_library/cert_auth.py

 

It goes through a complete workflow of creating, installing, and using certificate authentication.

ChrisV1
Hi, sorry but it doesnt, what i need is just installing a server_ca cert, which is described in the official documentation in the link i provided and the code that is ran is identical with the one from documentation ,unfortunately is not working and the certificate is not created on the storage

RobertBlackhart

"not working" is not giving me enough information to give more specific help.

 

You might want to enable debug logging on your script so that you can verify the HTTP request and responses that are sent/received. There might be additional information there that will help you. Here are details about how to do that: https://library.netapp.com/ecmdocs/ECMLP2879970/html/index.html#log_all_api_calls-flag

ChrisV1
Thanks for the reply. At this point I tend to believe that the procedure in the documentation is just wrong and that is just not the way you install a server_ca certificate on the cluster as the logging and debugging options you mentioned do not make any output with that script. While trying them into a different script they work and do make logging output.

Also , to be clear, im mentioning again, this is not my script , is the script from netapp documentation , copy paste, just replaced the info in the connection part and the certificated.


import logging
from netapp_ontap import HostConnection, utils, config
from netapp_ontap.resources import SecurityCertificate
from netapp_ontap.resource import Resource, ResourceSchema, ImpreciseDateTime, Size
from netapp_ontap import NetAppResponse
from netapp_ontap.error import NetAppRestError
from netapp_ontap.resources import svm
import pprint

logging.basicConfig(level=logging.DEBUG)
config.CONNECTION = HostConnection('', username='', password='', verify=False)
utils.LOG_ALL_API_CALLS = 1
resource = SecurityCertificate()
resource.type = 'server_ca'
resource.public_certificate = (
'-----BEGIN CERTIFICATE-----'

'-----END CERTIFICATE-----'
)
resource.post#(hydrate=True)

RobertBlackhart

I assumed it was a typo or copy/paste problem before, but do you really have a "#" character in the last line of your script? If you do, that would be the issue because that is commenting out the actual function call and so no request would be sent. I don't see that present in the documentation you linked to.

ChrisV1
Yes it was a typo and forgot to put it on new line as I don't need to use the hydrate function and when the hydrate function is there I either get one of the following errors as you can see in the picture: invalid format of certificate or server_ca is not one of the following :client, server , root_ca, server_ca . and if I remove the hydrate, the script finishes with no errors and the output shows as the CA is created, but not present on the storage.

RobertBlackhart

Hydrate isn't a function on its own. I want to make sure we're saying the same thing here. The final line of your script should look like this:

 

resource.post()

 

Is that what it looks like to you? You mentioned "as you can see in the picture", but I cannot see any picture attached to this thread.

ChrisV1
Yes , that's how it looks like with resource.post() . I tried attaching a picture on my last reply but it seems Im not allowed to. Also im only able to reply to the thread, or your post via email, but not able to reply on the website, that doesn't work, the post reply button is grayed out with a denied icon over the mouse pointer 🙂

RobertBlackhart

OK. I'm having a bit of a difficult time understanding how your code isn't making any API calls if your script ends with resource.post(). Perhaps you could post your code and output with debugging enabled to something like a GitHub gist and provide the link? https://gist.github.com/

ChrisV1
I have redacted only the cert a bit in the output posted on github. Here is the link
https://gist.github.com/CrisV1/cfca6f2e1cc12b214aac98bec149f47b

RobertBlackhart

Thanks for providing that. So the issue is that there is a formatting problem with your certificate which is what the server responded with. That's why after the call it's not present on the cluster.

 

It looks like your certificate string is missing line breaks encoded in the string. Try adding a \n to the end of each line of the string.

ChrisV1
It is funny as I have already tried your suggestion when I ran a code to get all fields from an already existing installed certificate and noticed that the installed certificates have a '\n' at the end of each line but the script failed even with that. But now when I tried again it worked...for some reason . I will mark your suggestion as an accepted solution and I will point out again , as I thought initially, that the procedure in netapps documentation is wrong (incomplete) and caused this issue in the first place, as the example there is without '\n' at the end of the cert lines.

Thank you for the help.
Public