StorageGRID Discussions

Highlighted

Storagegrid SSL_Connect

Hi Guys,

 

If try to create a Bucket or other Configurations from Tenant View. I always get these Error:

 

503: Service Unavailable

Service unavailable.

Failed to open TCP connection to node:8082 (Connection refused - connect(2) for "node" port 18082)

 

From Admin Node Log View:

Local Distribution Router (LDR) ist not running on some StorageNodes..

 

 

We installed a API Certificate, comes the Problem maybe from that?

 

 

6 REPLIES 6
Highlighted

Re: Storagegrid SSL_Connect

https://docs.netapp.com/sgws-110/index.jsp?topic=%2Fcom.netapp.doc.sg-admin%2FGUID-30ACCF7B-C06E-49DB-9CC3-E21756DBE677.html - the Local Distribution Router (LDR) service handles content transport for the StorageGRID Webscale system. Content transport encompasses many tasks including data storage, routing, and request handling. The LDR service does the majority of the StorageGRID Webscale system’s hard work by handling data transfer loads and data traffic functions.

--

If it's not running that could impact data-related operations (including the creation of new buckets).

I don't think this would happen due to TLS cert upload, it's probably something else (such as constrained RAM on VM-based SG nodes).

 

You could start troubleshooting by checking top two log files and also the 2 LDR logs mentioned at https://docs.netapp.com/sgws-110/topic/com.netapp.doc.sg-troubleshooting/GUID-1F020EBB-DD5A-4F3A-BC48-62251EEE8280.html?resultof=%22%6c%64%72%22%20%22...

Highlighted

Re: Storagegrid SSL_Connect

I have double checked this. I have use the Default Certificate from SG, it works fine.

 

I have upload my own Certificate build with this Guideline:

 

https://github.com/NetApp-StorageGRID/SSL-Certificate-Configuration

 

The LDR stops working and I can't access the Grid.

 

 

Highlighted

Re: Storagegrid SSL_Connect

Default TLS cert is automatically created and self-signed, so it's easy to get it right based on few basic inputs.

 

If you create one externally you have to get more inputs right (host name, signing, chaining) and your DNS must be correctly configured to resolve hostnames, so while the cert itself may be correct it can still cause problems.  I'd look at the bycast and other top logs, there's probably something about DNS or hostnames that cannot be found.

 

I configured DNS for SG nodes and created a self-signed TLS certs for SG and it worked fine for me on several v11 versions.

 

I seem to recall that I also tried to use the same Github instructions for that and those did not work. I'd try more recent instructions (you don't have to use StorageGRID-specific parameters) or check the logs to see what problem or error the uploaded certificates create.

Highlighted

Re: Storagegrid SSL_Connect

I found out that the Storagegrind as Trouble with the "CA MD" ca md too weak...

What for parameters did you used?

 

Update:

 

Depends on the openssl Version.. If you try that from Github, verfiy that you use the latest openssl version..

Highlighted

Re: Storagegrid SSL_Connect

Like I said, don't use that guide, it's outdated and hasn't been updated for a while. There is nothing NetApp- or StorageGRID-specific in those TLS/SSL certs.  Nobody uses MD5 these days, its days are over.

 

Use a recent generic "how to create self-signed SSL cert" procedure from Google search (StackOverflow or whatever), or Microsoft or Linux vendor documentation.  

Highlighted

Re: Storagegrid SSL_Connect

Solution:

 

use the Guides from here to create with openssl a Certificate:

 

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

 

second if you use the Windows CA update the Template to a SHA2 or higher Entcryption, the Default signing is SHA1...

 

 

Check out the KB!
Knowledge Base
All Community Forums