Skip to main content
NetApp Knowledge Base

No access to HTTPS services on new cluster nodes, because SSL certificate did not replicate

  1. Last updated
    Apr 24, 2025
  2. Save as PDF
Views:
2,251
Visibility:
Public
Votes:
3
Category:
ontap-9
Specialty:
core
Last Updated:
4/24/2025, 2:30:48 PM

Applies to

  • ONTAP 9
  • New cluster nodes
  • Cluster expansion
  • HTTPS
  • TLS/SSL
  • Varonis
  • REST API
  • ONTAPI
  • SPI

Issue

  • HTTPS clients cannot connect to LIFs hosted on nodes that were recently added to the cluster; clients are unable to use
    • REST API
    • ONTAPI
    • SPI
  • HTTPS clients can connect to LIFs hosted on older nodes
  • Web browser error: 
    • ERR_CONNECTION_CLOSED
  • Curl error: 
    • Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to x.x.x.x:443
  • Varonis errors: 
    • 2025-04-15 14:40:36.7100000ᅠDTWCP001GEN127ᅠVaronis.SystemDiscovery.WebServiceᅠ4336ᅠ3ᅠNetapp::NetApp::{ctor}::<lambda_b9d620ee355154c945548d16c6f1bea7>::operator (): Filer 0. Can't connect to the filer (host: svms3test) using ONTAPI (HRESULT: 1222).
Failed to invoke command on server: svms3test.
Command:
<system-get-version/>
    • Error: 1(0x00000001) Description: No permission to use 'hostsequiv' authentication, must be root.
  • ASUP APACHE-ERROR.GZ error on the symptomatic nodes: 
    • [Wed Apr 23 08:00:08.012309 2025 +0000] [ssl:error] [pid 9250:tid 34401860864] [client x.x.x.x:62447] [vserver 32] Failed to initialize SSL context
[Wed Apr 23 08:00:08.013457 2025 +0000] [ssl:notice] [pid 9250:tid 34401860864] [client x.x.x.x:62448] [vserver 32] No server certificate chain is configured for this vserver
[Wed Apr 23 08:00:08.013481 2025 +0000] [ssl:notice] [pid 9250:tid 34401860864] [client x.x.x.x:62448] [vserver 32] Certificate-based client authentication is not configured for this vserver
[Wed Apr 23 08:00:08.014163 2025 +0000] [ssl:emerg] [pid 9250:tid 34401860864] AH02562: Failed to configure certificate 127.0.0.1:0 (with chain), check /mroot/etc/cluster_config/vserver/.vserver_32/config/etc/certificates/ssl/server/150+17BE379C1811D356+svms3test/server.crt
[Wed Apr 23 08:00:08.014175 2025 +0000] [ssl:emerg] [pid 9250:tid 34401860864] SSL Library Error: error:80000002:system library::No such file or directory (calling fopen(/mroot/etc/cluster_config/vserver/.vserver_32/config/etc/certificates/ssl/server/150+162618A776ACDAF8+svmncmain2/server.crt, r))
    • Vserver ID shown in the APACHE-ERROR.GZ error matches the vserver that HTTPS clients cannot connect to 
      • nas-cm913::> vserver show -id 32
                               Admin      Operational Root
Vserver     Type    Subtype    State      State       Volume     Aggregate
----------- ------- ---------- ---------- ----------- ---------- ----------
svms3test   data    default    running    running     svms3test_ n2_aggr1
                                                      root
    • Folder name shown in the APACHE-ERROR.GZ error matches the serial number of the certificate that is assigned to the vserver's SSL configuration 
      • nas-cm913::> ssl show -vserver svms3test   
  (security ssl show)
                                         Vserver: svms3test   
                   Server Certificate Issuing CA: svms3test   
                Server Certificate Serial Number: 17BE379C1811D356
                  Server Certificate Common Name: svms3test   
               SSL Server Authentication Enabled: true
               SSL Client Authentication Enabled: false
Online Certificate Status Protocol Validation Enabled: false
URI of the Default Responder for OCSP Validation:
Force the Use of the Default Responder URI for OCSP Validation: false
                        Timeout for OCSP Queries: 10s
 Maximum Allowable Age for OCSP Responses (secs): unlimited
Maximum Allowable Time Skew for OCSP Response Validation: 5m
                 Use a NONCE within OCSP Queries: true

  • Packet trace shows that ONTAP does not participate in TLS handshake

    • 108436 2025-04-15 14:40:35.399239 x.x.x.x y.y.y.y TCP 66 633 49823 → 443 [SYN, ECE, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM
108437 2025-04-15 14:40:35.399508 y.y.y.y x.x.x.x TCP 66 633 443 → 49823 [SYN, ACK, ECE] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM
108438 2025-04-15 14:40:35.399556 x.x.x.x y.y.y.y TCP 54 633 49823 → 443 [ACK] Seq=1 Ack=1 Win=2097920 Len=0
108439 2025-04-15 14:40:35.400087 x.x.x.x y.y.y.y TLSv1 356 633 Client Hello
108440 2025-04-15 14:40:35.400804 y.y.y.y x.x.x.x TCP 60 633 443 → 49823 [FIN, ACK] Seq=1 Ack=303 Win=65792 Len=0
108441 2025-04-15 14:40:35.400833 x.x.x.x y.y.y.y TCP 54 633 49823 → 443 [ACK] Seq=303 Ack=2 Win=2097920 Len=0
108442 2025-04-15 14:40:35.400865 x.x.x.x y.y.y.y TLSv1 61 633 Alert (Level: Fatal, Description: Decode Error)
108443 2025-04-15 14:40:35.400928 x.x.x.x y.y.y.y TCP 54 633 49823 → 443 [FIN, ACK] Seq=310 Ack=2 Win=2097920 Len=0
108444 2025-04-15 14:40:35.401167 y.y.y.y x.x.x.x TCP 60 633 443 → 49823 [RST] Seq=2 Win=0 Len=0
108445 2025-04-15 14:40:35.401217 y.y.y.y x.x.x.x TCP 60 633 443 → 49823 [RST] Seq=2 Win=0 Len=0

 

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.