SU492: StorageGRID 11.2 and prior versions with custom server SSL 1024-bit certificates for S3 endpoints must convert the certificates when upgrading to 11.4
- Views:
- 134
- Last Updated:
- 4/5/2022, 8:54:34 PM
收藏
Summary
StorageGRID 11.2 and prior versions, using custom server SSL 1024-bit certificates or lower for S3 endpoints must convert to a higher key length prior to upgrading to StorageGRID 11.4. This is to avoid service unavailability due to a shorter key length below 2048 bits.
Solution
Pre-upgrade to 11.4:
Check existing certificates installed into StorageGRID cluster and correct if needed:
- Confirm Certificates are using a 2048 certificate string:
- For Management Interface Server Certificate:
- Login to Storage Node or a Linux Client
- Run:
openssl s_client <AdminNode_IP>:443
- For Object Storage API Service Endpoints Server Certificate:
- Login to Storage Node or a Linux Client
- Run:
openssl s_client <StorageNode_IP>:18082
- Load Balancer endpoint certificate:
- In the StorageGRID Management Interface, navigate to Configuration > Load Balancer Endpoints.
- Identify HTTPS endpoints and note the TCP Port for each endpoint
- Run:
openssl s_client <AdminNode_IP>:<TCP Port> - Repeat above step for each endpoint
- For Management Interface Server Certificate:
- If all the above certificates Certificate (if in-use) are showing 2048 string, then no action is necessary.
Server public key is 2048 bit - If any of the above certificates (if in-use) show(s) less than 2048 bit key, then please follow Certificate Installation for installing a supported certificate
Post upgrade to 11.4:
Issue #1: Loss of access to StorageGRID management interface
Temporarily replace the custom certificate with a StorageGRID self-signed certificate to restore client access:
- Generate a self-signed certificate
- SSH to the primary admin node using admin user
- Switch to root user by running:
su - - Generate a self-signed certificate by running:
make-certificate --type management --domains *.storagegrid.example.com- Replace *.storagegrid.example.com with appropriate Common Name for your environment
- Start services on primary admin node by running:
service servermanager restart - Validate services are all in Running state by running:
storagegrid-status - Attempt to access the StorageGRID management interface
- After access is restored and before approving other nodes, validate the Object Storage API Service Endpoints Server Certificate AND Load Balancer endpoint certificate. See pre-upgrade to 11.4 steps.
Issue #2: S3 or SWIFT (read/write) failures to StorageGRID after upgrade to 11.4
All storage services may appear in a running state, but new client requests are failing. Below error message may be observed in /var/local/log/bycast.log on the storage node(s).
Feb 12 18:24:59 ksabobssga01 ADE: |12087627 0000000000 ---- ---- 2022-02-12T18:24:59.836323| NOTICE 1401 HFCS: Connection 1644690299835915/172.24.160.200:33625 (---------): Closing: handshake: ca key too small (20,316,397)
Temporarily replace the custom certificate with a StorageGRID self-signed certificate to restore client access:
- Generate a self-signed certificate
- SSH to the primary admin node using admin user
- Switch to root user by running:
su - - Generate a self-signed certificate by running:
make-certificate --type storage --domains *.storagegrid.example.com- Replace *.storagegrid.example.com with appropriate Common Name for your environment.
To install new custom certificates, please visit the StorageGRID Configuring Server Certificates page.
Issue #3: Storage node service(s) are not starting and LDR in error state
Please engage NetApp Technical Support for further assistance.
联想凌拓科技有限公司(“Lenovo NetApp”)不对本页面中提供的任何信息或建议的准确性、可靠性或可维护性,或通过使用这些信息或遵守本文中提供的建议可能获得的任何结果,提供任何陈述或保证。本页面中的信息是按原样分发的,使用这些信息或实施本文中的任何建议或技术是客户的责任,取决于客户评估这些信息并将其整合到客户的运营环境中的能力。本页面及其包含的信息只能与本页面中讨论的 NetApp 产品结合使用。在任何情况下,Lenovo NetApp 均不承担因与使用或执行本页面上提供的信息有关的或导致的任何特殊的、间接的或随之而来的任何损失,或者因使用、数据或利润损失(无论是否在合同履行中)、疏忽或其它侵权行为导致的任何损失。
更多最新信息请参考 NetApp 官网支持公告