ONTAP AutoSupport messages fail using HTTPS: SSL certificate problem
Applies to
- ONTAP 9
- HTTPS transport protocol for AutoSupport messages
Issue
- AutoSupport messages fail using HTTPS as the transport:
::> system node autosupport history show -node node_name -seq-num <seq_num> -instance
Node: node_name
AutoSupport Sequence Number: seq_num
Destination for This AutoSupport: https
Trigger Event: callhome.management.log
Time of Last Update: 1/12/2021 02:58:59
Status of Delivery: transmission-failed
Delivery Attempts: 15
AutoSupport Subject: MANAGEMENT_LOG
Delivery URI: 10.106.130.129:8080(support.netapp.com/put/AsupPut)
Last Error: SSL certificate problem: unable to get local issuer certificate
::> autosupport check show-details -node node_name
Node: node_name
Category: http-https
Component: http-put-destination
Status: failed
Detail: HTTP/S PUT connectivity check failed for destination:
https://support.netapp.com/put/AsupPut/ via proxy -
123.123.123.123:8080. Error: Peer certificate can not be
authenticated with given Certificate Authority
certificates.
Corrective Action: Certificate issue. Please make sure you have the correct
Root Certificate installed
Component: http-post-destination
Status: failed
Detail: HTTP/S POST connectivity check failed for destination:
https://support.netapp.com/asupprod/post/1.0/postAsup
via proxy - 123.123.123.123:8080. Error: Peer certificate
can not be authenticated with given Certificate
Authority certificates.
Corrective Action: Certificate issue. Please make sure you have the correct
Root Certificate installed
- Similar error messages:
message: SSL certificate problem: self signed certificate in certificate chainError: Peer certificatecan not be authenticated with givenCertificate Authority certificates.Error: asup.post.drop: AutoSupport message (HA Group Notification from node01 (USER_TRIGGERED (TEST:Test)) NOTICE) was not posted to NetApp. The system will drop the message.
-
Additional error messages found in
/mroot/etc/log/mlog/notifyd.log:
::> system node run -node <node_name> -command rdfile /etc/log/mlog/notifyd.log
Cause
- A network device such as a firewall or transparent proxy located in the middle of the communication path between
support.netapp.comand the storage controller is intercepting the HTTPS packets - The certificate that is injected by the firewall or transparent proxy appears as if it is being provided by
support.netapp.com, however the certificate is not installed in ONTAP's truststore. support.netApp.comexpects the following default signed certificate (pre-existing in the truststore bundle):
::*> security certificate show -vserver <cluster_svm> -common-name AAACertificateServices
Vserver Serial Number Common Name Type
---------- --------------- -------------------------------------- ------------
cluster_svm
01 AAACertificateServices server-ca
Certificate Authority: AAA Certificate Services
Expiration Date: Sun Dec 31 18:59:59 2028
Solution
- Engage your Network / Security team to collect the root-ca certificate and install it in ONTAP using
security certificate install, or modify the proxy with an exception for each node in the Cluster, to disallow the proxy from inserting its own self signed certificate. For example, SSL decryption inserts a certificate with common name of palo.tcw.int and bypassing support.netapp.com for SSL decryption will prevent SSL decryption from inserting their certificate. - Add
support.netapp.comto the proxy whitelist. - If the proxy cannot be modified, it is possible to disable the Certificate validation as a temporary workaround
::> system node autosupport modify -node <node_name> -validate-digital-certificate false
support.netapp.com. This a temporary fix to resume delivery of Autosupport logs until the issue can be fully resolved.