Object Storage

Storagegrid SSL_Connect


Hi Guys,


If try to create a Bucket or other Configurations from Tenant View. I always get these Error:


503: Service Unavailable

Service unavailable.

Failed to open TCP connection to node:8082 (Connection refused - connect(2) for "node" port 18082)


From Admin Node Log View:

Local Distribution Router (LDR) ist not running on some StorageNodes..



We installed a API Certificate, comes the Problem maybe from that?





https://docs.netapp.com/sgws-110/index.jsp?topic=%2Fcom.netapp.doc.sg-admin%2FGUID-30ACCF7B-C06E-49DB-9CC3-E21756DBE677.html - the Local Distribution Router (LDR) service handles content transport for the StorageGRID Webscale system. Content transport encompasses many tasks including data storage, routing, and request handling. The LDR service does the majority of the StorageGRID Webscale system’s hard work by handling data transfer loads and data traffic functions.


If it's not running that could impact data-related operations (including the creation of new buckets).

I don't think this would happen due to TLS cert upload, it's probably something else (such as constrained RAM on VM-based SG nodes).


You could start troubleshooting by checking top two log files and also the 2 LDR logs mentioned at https://docs.netapp.com/sgws-110/topic/com.netapp.doc.sg-troubleshooting/GUID-1F020EBB-DD5A-4F3A-BC48-62251EEE8280.html?resultof=%22%6c%64%72%22%20%22...


I have double checked this. I have use the Default Certificate from SG, it works fine.


I have upload my own Certificate build with this Guideline:




The LDR stops working and I can't access the Grid.




Default TLS cert is automatically created and self-signed, so it's easy to get it right based on few basic inputs.


If you create one externally you have to get more inputs right (host name, signing, chaining) and your DNS must be correctly configured to resolve hostnames, so while the cert itself may be correct it can still cause problems.  I'd look at the bycast and other top logs, there's probably something about DNS or hostnames that cannot be found.


I configured DNS for SG nodes and created a self-signed TLS certs for SG and it worked fine for me on several v11 versions.


I seem to recall that I also tried to use the same Github instructions for that and those did not work. I'd try more recent instructions (you don't have to use StorageGRID-specific parameters) or check the logs to see what problem or error the uploaded certificates create.


I found out that the Storagegrind as Trouble with the "CA MD" ca md too weak...

What for parameters did you used?




Depends on the openssl Version.. If you try that from Github, verfiy that you use the latest openssl version..


Like I said, don't use that guide, it's outdated and hasn't been updated for a while. There is nothing NetApp- or StorageGRID-specific in those TLS/SSL certs.  Nobody uses MD5 these days, its days are over.


Use a recent generic "how to create self-signed SSL cert" procedure from Google search (StackOverflow or whatever), or Microsoft or Linux vendor documentation.  




use the Guides from here to create with openssl a Certificate:




second if you use the Windows CA update the Template to a SHA2 or higher Entcryption, the Default signing is SHA1...



NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner