How to fix Netapp expired self-signed certificate by creating a new one

netapp certificate expired install site cant be reached

Symptom: When you look at the diagnostic logs on your Netapp, you get a warning that the certificates are expiring or expired:

Event:
mgmtgwd.certificate.expiring: A digital certificate with Fully Qualified Domain Name (FQDN) ExampleNetappServer1, Serial Number 569848B0A5092, Certificate Authority ‘ExampleNetappServer1’ and type server for Vserver ExampleNetappServer1 will expire in the next 29 day(s).

Message Name:
mgmtgwd.certificate.expiring

Description:
This message occurs when a digital certificate for a Vserver is about to expire. Client-server communication will not be secure if the certificate expires.

Action:
Install a new digital certificate on the system using the ‘security certificate create’ or ‘security certificate install’ command.

Symptom: When you try to reach the website for your Netapp OnTAP, it won’t connect at all.

See the image above for what this looks like.

Symptom:  You tried to create new certificates using security certificate create and now the website is broken.

Whoops.  Never fear, keep reading, this article will help you.


Solution

How can I connect if the Netapp website is down?

Use a terminal emulator such as Putty.  Connect using SSH port 22, to the IP of your Netapp Cluster.

When prompted, type your administrator username and password.  admin is the default username and netapp!123 is the default password.

First, capture your current status.

Here are the commands you will run to see the current status of your certificates:

security certificate show

ssl show

Feel free to run these whenever needed, to see your status.

Run both commands now and screenshot or copy the results so you can reference them later.

Here is an example of a Netapp that has expired certificates for the cluster and the SVM:

netapp security certificate show create install

Here is an example of a Netapp that has broken website ssl certificate:

netapp ssl show broken website ontap 9

Did you already delete your certificates and don’t know the names of your cluster and SVM?

Assuming you are connecting to your cluster, you should see the cluster name at the beginning of your command prompt.

If you press TAB while writing a command, Netapp will provide you possible answers.   This can help you retrieve your Vserver list.

Type security certificate show -vserver [TAB]

Your command prompt will show you the possible answers. One should be your cluster, one should be your SVM(s).

Perform these steps to get rid of expired certificates, install new, and enable.

1. Delete old certificates:

Identify your variables:

-vserver =  vserver name from the “security certificate show” command, such as ExampleNetappCluster1

-common-name = common name from the “security certificate show” command, such as ExampleNetappCluster1

-serial = serial number from the “security certificate show” command, such as 448293BA028

-type = type from the “security certificate show” command. Self-generated certificates are type server.

Run command for your cluster certificate:  security certificate delete -vserver ExampleNetappCluster1  -serial  ########## -type server -common-name ExampleNetappCluster1

When prompted, type Y to delete.

Run the command again for each SVM certificate: security certificate delete -vserver ExampleNetappSVM1  -serial  ########## -type server -common-name ExampleNetappSVM1

When prompted, type Y to delete.

2. Create new self-signed certificates:

Run command for your new cluster certificate:  security certificate create -vserver ExampleNetappCluster1 -common-name ExampleNetappCluster1 -type server -expire-days 999

You can change the expire-days per your security policy.  The default is 365.

Run command for each new SVM certificate:  security certificate create -vserver ExampleNetappSVM1 -common-name ExampleNetappSVM1 -type server -expire-days 999

3. Enable SSL with the new certificates:

Run command for your new cluster certificate:  ssl modify -vserver ExampleNetappCluster1 -server-enabled true

Run command for each new SVM certificate: ssl modify -vserver ExampleNetappSVM1 -server-enabled true

4. At this point, your website should be back up!

Please leave comments if this worked for you, or tips if it didn’t.

If you need further reference, I found these Netapp articles helpful.

Reference:  Netapp KB article that describes how to renew the certificate with ssl modify.

Reference: Netapp OnTap 9:  security certificate create , security certificate show, ssl show, ssl modify.

Leave a Reply

Your email address will not be published. Required fields are marked *