PowerScale: Google Certificates nearing expiration alerts

Summary: On December 5, 2025, there will be a refresh to the Google certificate authority that we use within OneFS. This refresh previously occurred on December 15, 2021.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

OneFS alerts that Google root certificates are expiring on December 5, 2025.   
  
PowerScale OneFS 9.8.0.0
isi980-1# isi certificate authority list
ID      Name                              Status  Expires            
---------------------------------------------------------------------
16af57a BaltimoreCyberTrustRoot           valid   2025-05-12T19:59:00  <<<<<<<<<<<<<<<<

This previously occurred on November 15, 2021, when OneFS alerts that Google root certificates are expiring on December 15, 2021.   

CELOG alerts display:  
Certificate 'GoogleInternetAuthority_G3' in 'system_ca' store is nearing expiration: <Date/Time>.

This impacts the following Certificate Authorities:  
GoogleInternetAuthority_G4
GoogleTrustServices_CA_1O1
GoogleInternetAuthority_G3
GlobalSign-Root-R2
GoogleTrustServices_CA_1D2

Use the following command to see the expiring authorities:  
# isi certificate authority list | grep expir

When the CAs expire on December 15, 2021, CELOG will send a critical alert that the certificate has expired. This can be treated in the same manner as the above nearing expiration events.

Cause

This is due to a timestamp that Google has to refresh or renew in its root certificates. The CELOG warning alert is set to trigger one month ahead of expiration, and a critical alert may trigger at the time of expiration.  
 
These certificate authorities were used for Google CloudPools configurations, however all clusters alert for the expiring authority.

Resolution

The expiring certificate authorities (CA) are no longer being used by Google per the following release

Check if you are using a Google Cloud account:  
# isi cloud account list

If you are not using CloudPools in any way, or are using CloudPools with a service other than Google Cloud as your object store provider, then it is safe to remove these five certificates. 

If you are using Google Cloud as your Object Store provider and your cloud provider URI is "storage.googleapis.com", then it is safe to remove these five certificates. 
 
If you are using Google Cloud and it is using a URI other than "storage.googleapis.com", contact your object store provider to ensure they have updated the TLS certificates before removing the five expiring certificates from the cluster.


To remove the expiring CAs, use the following commands:  
# isi certificate authority delete GoogleInternetAuthority_G4
# isi certificate authority delete GoogleTrustServices_CA_1O1
# isi certificate authority delete GoogleInternetAuthority_G3
# isi certificate authority delete GlobalSign-Root-R2
# isi certificate authority delete GoogleTrustServices_CA_1D2
 

Affected Products

PowerScale OneFS
Article Properties
Article Number: 000193534
Article Type: Solution
Last Modified: 10 May 2024
Version:  7
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.