Object Storage

Storagegrid SSL_Connect

Fabian1993
5,544 Views

Hi Guys,

 

If try to create a Bucket or other Configurations from Tenant View. I always get these Error:

 

503: Service Unavailable

Service unavailable.

Failed to open TCP connection to node:8082 (Connection refused - connect(2) for "node" port 18082)

 

From Admin Node Log View:

Local Distribution Router (LDR) ist not running on some StorageNodes..

 

 

We installed a API Certificate, comes the Problem maybe from that?

 

 

6 REPLIES 6

elementx
5,515 Views

https://docs.netapp.com/sgws-110/index.jsp?topic=%2Fcom.netapp.doc.sg-admin%2FGUID-30ACCF7B-C06E-49DB-9CC3-E21756DBE677.html - the Local Distribution Router (LDR) service handles content transport for the StorageGRID Webscale system. Content transport encompasses many tasks including data storage, routing, and request handling. The LDR service does the majority of the StorageGRID Webscale system’s hard work by handling data transfer loads and data traffic functions.

--

If it's not running that could impact data-related operations (including the creation of new buckets).

I don't think this would happen due to TLS cert upload, it's probably something else (such as constrained RAM on VM-based SG nodes).

 

You could start troubleshooting by checking top two log files and also the 2 LDR logs mentioned at https://docs.netapp.com/sgws-110/topic/com.netapp.doc.sg-troubleshooting/GUID-1F020EBB-DD5A-4F3A-BC48-62251EEE8280.html?resultof=%22%6c%64%72%22%20%22...

Fabian1993
5,511 Views

I have double checked this. I have use the Default Certificate from SG, it works fine.

 

I have upload my own Certificate build with this Guideline:

 

https://github.com/NetApp-StorageGRID/SSL-Certificate-Configuration

 

The LDR stops working and I can't access the Grid.

 

 

elementx
5,506 Views

Default TLS cert is automatically created and self-signed, so it's easy to get it right based on few basic inputs.

 

If you create one externally you have to get more inputs right (host name, signing, chaining) and your DNS must be correctly configured to resolve hostnames, so while the cert itself may be correct it can still cause problems.  I'd look at the bycast and other top logs, there's probably something about DNS or hostnames that cannot be found.

 

I configured DNS for SG nodes and created a self-signed TLS certs for SG and it worked fine for me on several v11 versions.

 

I seem to recall that I also tried to use the same Github instructions for that and those did not work. I'd try more recent instructions (you don't have to use StorageGRID-specific parameters) or check the logs to see what problem or error the uploaded certificates create.

Fabian1993
5,454 Views

I found out that the Storagegrind as Trouble with the "CA MD" ca md too weak...

What for parameters did you used?

 

Update:

 

Depends on the openssl Version.. If you try that from Github, verfiy that you use the latest openssl version..

elementx
5,346 Views

Like I said, don't use that guide, it's outdated and hasn't been updated for a while. There is nothing NetApp- or StorageGRID-specific in those TLS/SSL certs.  Nobody uses MD5 these days, its days are over.

 

Use a recent generic "how to create self-signed SSL cert" procedure from Google search (StackOverflow or whatever), or Microsoft or Linux vendor documentation.  

Fabian1993
5,339 Views

Solution:

 

use the Guides from here to create with openssl a Certificate:

 

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

 

second if you use the Windows CA update the Template to a SHA2 or higher Entcryption, the Default signing is SHA1...

 

 

Public