ONTAP AutoSupport using HTTPS fails validation when the Certificate is removed

Last updated

May 9, 2025
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 5,467

Visibility:: Public

Votes:: 5

Category:: ontap-9

Specialty:: core

Last Updated:: 5/9/2025, 6:32:12 AM

Applies to

ONTAP 9.7 and later
AutoSupport
Transport HTTPS

Issue

AutoSupports are no longer succeeding after removing some certificates from the truststore:

cluster1::*> system node autosupport check show-details -node * -check-type https-post-destination

Node: cluster1-01 Category: https Component: https-post-destination Status: failed Detail: HTTPS POST connectivity check failed for destination: https://support.netapp.com/asupprod/post/1.0/postAsup. Error: Peer certificate can not be authenticated with given Certificate Authority certificates. Corrective Action: Certificate issue. Please make sure you have the correct Root Certificate installed

Verify if the following certificate is missing

cluster1::> security certificate show-truststore -common-name AAACertificateServices

There are no entries matching your query.

cluster1::> security certificate show -common-name AAACertificateServices

There are no entries matching your query.

Cause

The Server-CA certificate is missing which is used by ONTAP to authenticate with the Support URL for HTTPS: support.netapp.com/asupprod/post/1.0/postAsup
The common name for the certificate is AAACertificateServices
The certificate was removed 1 of 2 ways:
- The advanced privilege command security certificate truststore clear was executed:
  - cluster1::*> security certificate truststore clear
    Copied
- The advanced privilege command security certificate delete was executed:
  - cluster1::*> security certificate delete -vserver cluster1 -common-name AAACertificateServices -ca "AAA Certificate Services" -type server-ca -serial 01
    Copied
This issue is tracked in Bug ID 1221636

Solution

To resolve this issue select one of the following options:

Reloading the Truststore

This will add back the AAACertificateServices root certificate along with all other default root certificates
Execute the security certificate truststore load command at the advanced privilege level:

cluster1::*> security certificate truststore load

Manually Add the Individual Certificate used for AutoSupport

This will add back only the AAACertificateServices root certificate
Following is the current AAACertificateServices certificate as of the time of publishing this article; however, the truststore is the best method as it will ensure the current certificate is loaded
Use the security certificate install command:

cluster1::> security certificate install -type server-ca

Please enter Certificate: Press <Enter> when done

You should keep a copy of the CA-signed digital certificate for future reference. The installed certificate's CA and serial number for reference: CA: AAA Certificate Services serial: 01 The certificate's generated name for reference: AAACertificateServices

Additional Information

Temporary WorkAround

There is one way to work around this behavior by disabling Certificate validation
This will configure all controllers in your cluster to not validate the server certificate it receives from support.netapp.com
This is a temporary fix to resume delivery of Autosupport logs until the issue can be fully resolved
Configure the storage controller to skip the server certificate in the validation process

cluster1::> system node autosupport modify -node <node> -transport https -support enable -validate-digital-certificate false

Documentation

How does ONTAP send an AutoSupport using HTTPS?
To learn more about AutoSupport, see TR-4444 - ONTAP AutoSupport and AutoSuport On Demand Configuration Guide.