PowerFlex 4.x Deployment Fails With "SSL Certificate Problem: Unable To Get Issuer Certificate"

Zusammenfassung: Deployment fails with the error message "SSL certificate problem: Unable to get an issuer certificate."

Dieser Artikel gilt für Dieser Artikel gilt nicht für Dieser Artikel ist nicht an ein bestimmtes Produkt gebunden. In diesem Artikel werden nicht alle Produktversionen aufgeführt.
Andere Ressourcen ansehen

Symptome

Scenario

  • PFxM Appliance is using a custom-signed SSL certificate
  • Trying to deploy new Storage Only HCI nodes
  • Trying to expand a current Storage Only HCI Resource Group
  • Trying to upgrade a current Storage Only HCI Resource Group

Thin-deployer's deployment.log shows the following:

ERROR [2023-12-06T15:10:47.435192] 56708: service_deployment.rb:1858:in `process_ansible_errors': Error Message: No provider of '+nmon' found.
DEBUG [2023-12-06T15:10:47.435484] 56708: service_deployment.rb:1868:in `process_ansible_errors': errpr_desc = No provider of '+nmon' found.; additional_error_check = false

This error is pointing to the package nmon as not available. It could be any RPM package from the repository.

Thin-deployer's *.out file related to the nodes that are failing shows the following:

" - [|] Error trying to read from 'https://10.1.0.1/httpshare/download/8aaa812487be83780187be8d264c1aad/os/VxFlex4.0.1SLES15.3Repo/dellemc_ism'",
" - Download (curl) error for 'https://10.1.0.1/httpshare/download/8aaa812487be83780187be8d264c1aad/os/VxFlex4.0.1SLES15.3Repo/dellemc_ism/content':",
"Error code: Curl error 60",
"Error message: SSL certificate problem: unable to get issuer certificate",

The same issue is seen when using curl from the Storage Only/HCI nodes:

#curl https://10.1.1.1/httpshare/download/8aaa812487be83780187be8d264c1aad/os/VxFlex4.0.1SLES15.3Repo/dellemc_ism/content -o context.txt 
% Total  % Received  % Xferd  Average  Speed   Time      Time      Time      Current
                              Dload    Upload  Total     Spent     Left      Speed
0   0    0   0       0   0    0        0       --:--:--  --:--:--  --:--:--  0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html


Impact

New deployments and expansions or upgrades of Resource Groups are not successful.

Ursache

When you replace the default SSL ingress certificate with a custom SSL certificate signed by an external CA, the nodes do not receive a copy of the new CA certificate. The operating system uses this CA certificate to verify and validate signed SSL certificates. If the operating system does not trust the new CA certificate, the repository download is rejected.

Lösung

Procedure:

For a SLES-based Storage Only HCI node:

  1. Copy the Entire root CA Chain certificate (PEM format) to  
    /etc/pki/trust/anchors/
  2. Run command:  
    update-ca-certificates

     

For a RHEL-based Storage Only HCI node:

  1. Copy the Entire root CA Chain certificate (PEM format) to  
    /etc/pki/ca-trust/source/anchors/
  2. Run command: 
     update-ca-trust

Entire root CA Chain = root CA + intermediate CAs (if any)
 

Impacted versions:

PowerFlex Manager 4.x


Fixed version:

TBD

Betroffene Produkte

PowerFlex rack, PowerFlex Appliance, PowerFlex custom node, PowerFlex Software
Artikeleigenschaften
Artikelnummer: 000225096
Artikeltyp: Solution
Zuletzt geändert: 23 Mai 2025
Version:  3
Antworten auf Ihre Fragen erhalten Sie von anderen Dell NutzerInnen
Support Services
Prüfen Sie, ob Ihr Gerät durch Support Services abgedeckt ist.