NetApp StorageGrid Cloud Storage Server configuration fails due to invalid certificate on NetApp array
Problem
NetApp StorageGrid configuration for Cloud Storage fails when the certificate provided by the NetApp array doesn't have the correct array name.
Error Message
tpcommand log:17:17:04.351 [1001339] <2> <media_server>: == Info: ALPN, server did not agree to a protocol
17:17:04.351 [1001339] <2> <media_server>: == Info: Server certificate:
17:17:04.351 [1001339] <2> <media_server>: == Info: subject: C=US; ST=California; L=Sunnyvale; O=NetApp Inc.; OU=NetApp StorageGRID; CN=12883979
17:17:04.351 [1001339] <2> <media_server>: == Info: start date: Feb 13 18:58:36 2020 GMT
17:17:04.351 [1001339] <2> <media_server>: == Info: expire date: Jan 16 18:58:36 2038 GMT
17:17:04.351 [1001339] <2> <media_server>: == Info: SSL: certificate subject name '12883979' does not match target host name '<array_name>'
17:17:04.351 [1001339] <2> <media_server>: == Info: Closing connection 0
17:17:04.351 [1001339] <2> <media_server>: => Send SSL data, 0000000005 bytes (0x00000005)
17:17:04.351 [1001339] <2> <media_server>: == Info: TLSv1.2 (OUT), TLS alert, close notify (256):
17:17:04.351 [1001339] <2> <media_server>: => Send SSL data, 0000000002 bytes (0x00000002)
17:17:04.351 [1001339] <2> <media_server>: CurlHttpClient: CurlHttpClient::processCompletedEasyHandle: job 0x13951f0 removed from running jobs
17:17:04.351 [1001339] <2> <media_server>: CurlHttpClient: CurlHttpClient::processCompletedEasyHandle: STS error: 2060201, cURL error: 60, multi cURL error: 0, HTTP return value: 0
17:17:04.351 [1001339] <16> <media_server>: AmzJob: Failed due to error in SSL certificate. Job Retry not applicable
Cause
The certificate subject name '12883979' does not match target host name '<array_name>'.
Solution
Using curl commands you can confirm that the certificate on the array is the problem:
1. Obtain the certificate from the array:# echo | /usr/openv/netbackup/bin/goodies/vxsslcmd s_client -showcerts -connect <array_name>:8082 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | tee /tmp/s3-cert-chain
2. Using the certificate chain obtained from the array, using curl to connect to the array:# curl -vvv --cacert /tmp/s3-cert-chain https://<array_name>:8082/
* Trying <ip_of_array>...
* TCP_NODELAY set
* Connected to <array_name> (<ip_of_array>) port 8082 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /usr/openv/var/global/wmc/cloud/cacert.pem
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; L=Sunnyvale; O=NetApp Inc.; OU=NetApp StorageGRID; CN=12883979
* start date: Feb 13 18:58:36 2020 GMT
* expire date: Jan 16 18:58:36 2038 GMT
* SSL: certificate subject name '12883979' does not match target host name '<array_name>'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (51) SSL: certificate subject name '12883979' does not match target host name '<array_name>'
Work with the array vendor to fix the certificates on the array.