Object Storage

StorageGrid certificate renewal -Need the final push to finish this

Northman
10,612 Views

Simply put: Our load balancer certificate is expiring today. It won`t affect our FabricPool connection, because it has not been setup to verify a certificate. Both the global certificates (2) have been setup with default (Grid CA). I want to renew these with our custom certificates and then setup the load balancer to use the S3 and Swift API certificate.

 

I contacted Netapp Support and got these two links below. I write what I intend to do beneath it.

 

Mgmt: https://docs.netapp.com/us-en/storagegrid-116/admin/configuring-custom-server-certificate-for-grid-manager-tenant-manager.html#add-a-custom-management...

 

-Install a wildcard certificate for the primary admin and the other admin

But how do this? I have seen examples of certificates made in this form:

DNS.1 = s3.example.com
DNS.2 = *.s3.example.com
DNS.3 = s3
DNS.4 = *.s3

Can we actually enter ? 

DNS.1 = LB1.companydomain.com

DNS.2 = LB".companydomain.com

 

What abot IP-adresses?

 

S3 and Swift API certificate: https://docs.netapp.com/us-en/storagegrid-116/admin/configuring-custom-server-certificate-for-storage-node-or-clb.html#add-a-custom-s3-and-swift-api-c...

 

-Install a wildcard certificate covering all the storage nodes.

 

Same question: How include all the storage nodes in one certificate? Can we just enter them all? What about IP-adresses?

 

And finally, in the middle of this, I stumbled upon this problem. Is this something I need to worry about if certificate validation is not enabled in the Fabricpool object store?

 

https://kb.netapp.com/hybrid/StorageGRID/Protocols/How_to_configure_a_new_StorageGRID_self-signed_server_certificate_on_an_existing_ONTAP_FabricPool_d...

 

It is adressing a problem when renewing the StorageGrid self-signed certificate and NOT renewing it on the ONTAP side. IT should first be renewed in SG, then in ONTAP.

 

Here is more info: 

 

https://community.netapp.com/t5/ONTAP-Discussions/Mismatched-certificate-between-ONTAP-and-StorageGrid/m-p/432266

 

 

1 ACCEPTED SOLUTION

elementx
10,574 Views

I won't attempt to give answers 1 by 1 because I don't want to give a recipe - maybe someone from the SG team can do that.

 

1) Wildcards aren't SG-specific, any valid wildcards ought to work. So yeah, lb*.something.com would work if it'd work anywhere else. Which you can test by issuing several snake oil certs with the same wild card and see if they can be recognized on test VM machine (e.g. with Apache or NGINX) or container.

2) IPs (SANs) are possible, but not mandatory which is why they were omitted. You wouldn't be accessing anything based on IPs because it can't provide the right security.

3) How to include SG's LBs: the example that you pasted includes s3.example.com and sub-domains, so all SNs and LBs would be covered, assuming their DNS maps to that.

 

DNS.1 = s3.example.com
DNS.2 = *.s3.example.com
DNS.3 = s3
DNS.4 = *.s3

It's been years since I created certs for SG, so I wouldn't advise to use my reply on production systems, but maybe they make it easier to understand the docs.

View solution in original post

24 REPLIES 24

Northman
820 Views

But I think my setup does not even have a OOB IP-address or DNS. SG is using a "sam-tunnel" to open Santricity Manager (see picture attached).  And I discovered that the IPv6-problem mentioned by me, is not really a problem. I can just untick it when configuring the interface (see the same pic). So it seems to me that I should do the following: 

 

1. Configure all the OOB interfaces with a name and IP-address on a OOB-network

2. Create Santricity System Manager certificates for these replacing the self-signed certificate that is expiring in 2025

3. Include the SG mgmt node names (*.*.63.24) in the S3 certificate

4.  Change these SG mgmt network adresses to permanent IP-address instead of DHCP assigned. Do you know how, or best to create a support case for that bit?

5.

 

 

Northman
820 Views

Actually, it does have IP adresses on a OOB network. I found some documentation on that. But these are also DHCP-assigned with a reservation. So we could just assign these as static type and create DNS-records for these.

elementx
814 Views

Yes, you could create static assignments to replace MAC-based reservations.

 

For any questions you can always reach out to support, either by calling the local support phone, or by going to https://mysupport.netapp.com/site/ (have your NetApp support creds ready and click on Create Case on the right).

 

You may get Qs on serials & stuff, so make those handy.

 

https://docs.netapp.com/us-en/storagegrid-117/installconfig/registering-hardware.html explains how to register SG appliances with Support (maybe it's already been done, in which case you should see them in your support account or in Active IQ (if auto-support is sending data back) after login).

Northman
793 Views

Yes. I have created a case. I guess it could be challenging to change the SG admin interface interfaces in live production. If so, we might keep it as it is until we get a maintenance window.

Public