ONTAP Tools: Unable to add storage backend or manage OTV due to invalid SAN field within vCenter machine certificate
Applies to
- ONTAP Tools for VMware vSphere (OTV) 10.x
- VMware vCenter
Issue
- The option to add backend storage is grayed out in the OTV vCenter plugin for one vCenter site, despite identical configuration to a working site.
- All plugin functionality is grayed out and when hovering over any option within the plugin we see an
Insufficient privilegeerror. - Attempts to disable certificate validation from the ONTAP Tools maintenance console do not resolve the issue.
- When looking at the web browser's developer's tools when trying to add the storage system, we see 401 Unauthorized errors.
Example:
- Looking at the HAR (HTTP Archive) file output of the 401 error we can see similar details:
"_priority": "High",
"request": {
"method": "GET",
"url": "https://<vcenter>/plugins/com.netapp.otv.../virtualization/api/v1/vcenters"
},
"response": {
"status": 401,
"statusText": "",
...
"content": {
"mimeType": "text/html",
"text": "401 Authorization Required"
}
}
- Additionally, when checking the vCenter machine certificate's Subject Alternative Name (SAN) from OTV's diag shell using an
opensslcommand, we can see similar output:
diag@otv1:~$ sudo su
root@otv1:/home/diag# echo | openssl s_client -connect vc1.demo.netapp.com:443 -showcerts | openssl x509 -text
depth=0 CN = vc1.demo.netapp.com, C = US, ST = California, L = Palo Alto, O = NetApp, OU = LODverify error:num=20:unable to get local issuer certificateverify return:1depth=0 CN = vc1.demo.netapp.com, C = US, ST = California, L = Palo Alto, O = NetApp, OU = LODverify error:num=21:unable to verify the first certificateverify return:1depth=0 CN = vc1.demo.netapp.com, C = US, ST = California, L = Palo Alto, O = NetApp, OU = LODverify return:1DONECertificate: Data: Version: 3 (0x2) Serial Number: d3:a0:2d:aa:5c:97:9a:12 Signature Algorithm: sha256WithRSAEncryption Issuer: CN = vc1, DC = demo, DC = local, C = US, ST = California, O = vc1.demo.netapp.com, OU = LOD Validity Not Before: Apr 5 18:05:18 2024 GMT Not After : Apr 5 18:05:18 2026 GMT Subject: CN = vc1.demo.netapp.com, C = US, ST = California, L = Palo Alto, O = NetApp, OU = LOD Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (3072 bit) Modulus: 00:b5:3c:38:25:8c:b4:0d:a0:bc:80:bf:39:3c:3f: ef:1b:9c:bc:f5:6e:33:e6:fc:0e:1c:ef:36:94:36: a6:18:df:af:a7:2d:12:16:e7:b4:fa:6a:3d:db:be: b7:60:8a:2b:b9:74:9b:38:37:0f:d7:09:fe:bb:cc: bd:d0:c3:5e:bd:2d:81:a0:f5:a2:2d:ae:64:35:b4: 09:a1:74:42:12:ce:a4:d7:d1:5c:ca:28:80:16:7a: e9:cb:04:85:58:80:cb:70:87:4d:c3:ac:7b:be:f4: 98:0f:cf:ca:81:e0:ac:23:d9:9e:05:65:64:88:90: 4c:85:a9:75:03:1b:10:4c:c5:22:4a:cb:7c:2e:f4: 51:6d:8c:cd:fb:9b:96:bb:07:ec:39:ff:90:eb:bf: 88:24:a5:54:95:a2:c4:a7:fb:4a:66:6d:55:0e:59: c4:14:c3:52:52:52:8a:aa:17:d5:e4:57:1b:2b:a7: 02:b1:2f:ac:8a:4e:63:d9:24:29:75:04:96:6d:e1: 1a:79:3f:66:68:ae:04:9f:87:a9:46:2a:61:6f:87: fb:bb:c4:de:52:9a:e8:d1:2a:0d:7f:ad:66:8b:71: 4f:1d:9b:5c:c8:de:88:85:94:df:46:5b:b2:18:1e: 5e:52:06:f6:a7:38:f5:c9:41:a0:2f:62:1a:36:af: 85:cb:4e:71:a5:e0:fd:6d:e1:74:b2:8a:e5:db:37: ae:94:44:46:03:20:e9:53:24:ad:f8:aa:00:9b:a2: ab:e6:f7:b1:3b:d7:30:0b:a5:ff:78:4b:ee:1c:f9: 40:00:40:13:f8:4f:e1:9b:c8:1d:5d:36:59:60:d0: 44:b8:ae:54:50:1c:0c:0c:af:0a:b3:bd:22:bc:74: 1a:4d:51:c9:14:a1:29:86:a4:75:6c:59:de:18:4c: 74:bb:86:ab:4c:af:45:7a:a8:d4:86:fd:e3:3c:0e: 25:f0:49:1e:31:53:a0:0f:c6:ab:0a:e8:99:98:22: 4f:32:64:2a:ae:71:6c:df:0c:17 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: IP Address:127.0.0.1, DNS:record, DNS:vc1.demo.netapp.com X509v3 Subject Key Identifier: 9D:15:D3:36:3E:25:1A:45:AC:4B:77:D6:8B:C0:63:80:4B:15:79:80 X509v3 Authority Key Identifier: 43:5F:E9:F4:71:58:5D:CE:25:03:53:3C:87:54:A4:AE:A4:8C:0E:FC Authority Information Access: CA Issuers - URI:https://vc1.demo.netapp.com/afd/vecs/ca Signature Algorithm: sha256WithRSAEncryption