CONTAP-409261: Certificate discrepancy between /api/cluster/web and security ssl show

Last updated

Apr 2, 2025
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 30

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: CORE

Last Updated:: 4/2/2025, 3:08:35 PM

Issue

REST API and ONTAP commands show discrepancy in SSL configuration

The REST API call /api/cluster/web:

curl -ku admin:"P@ssw0rd" https://cluster1/api/cluster/web
{
"enabled": true,
"http_port": 80,
"https_port": 443,
"state": "online",
"http_enabled": false,
"csrf": {
"protection_enabled": true,
"token": {
"concurrent_limit": 500,
"idle_timeout": 900,
"max_timeout": 0
}
},
"certificate": {
"name": "cert1",
"uuid": "8d4faf7a-f9a1-11ef-9c7f-d039eaa1b42e",
"_links": {
"self": {
"href": "/api/security/certificates/8d4faf7a-f9a1-11ef-9c7f-d039eaa1b42e"
}
}
},
"client_enabled": false,
"ocsp_enabled": false,
"_links": {
"self": {
"href": "/api/cluster/web"
}
}
}
::> show-user-installed -type server -fields cert-name,serial
(security certificate show-user-installed)
vserver common-name serial ca type subtype cert-name
---------------- ------------------- ------ ------ ------ ------- ---------
cluster1 "*.demo.netapp.com" 100A wsl_ca server - cert1
cluster1 "*.demo.netapp.com" 100B wsl_ca server - cert2
2 entries were displayed.

And the ONTAP command:

::> ssl show -vserver cluster1
(security ssl show)
Vserver: cluster1
Server Certificate Issuing CA: wsl_ca
Server Certificate Serial Number: 100B
Server Certificate Common Name: *.demo.netapp.com
SSL Server Authentication Enabled: true
SSL Client Authentication Enabled: false
Online Certificate Status Protocol Validation Enabled: false
URI of the Default Responder for OCSP Validation:
Force the Use of the Default Responder URI for OCSP Validation: false
Timeout for OCSP Queries: 10s
Maximum Allowable Age for OCSP Responses (secs): unlimited
Maximum Allowable Time Skew for OCSP Response Validation: 5m
Use a NONCE within OCSP Queries: true