PowerFlex 4.X: Deployment Fails "SSL Certificate Problem: Unable To Get Issuer Certificate"

Summary: Deployment fails with the error message "SSL certificate problem: Unable to get an issuer certificate."

Αυτό το άρθρο ισχύει για Αυτό το άρθρο δεν ισχύει για Αυτό το άρθρο δεν συνδέεται με κάποιο συγκεκριμένο προϊόν. Δεν προσδιορίζονται όλες οι εκδόσεις προϊόντων σε αυτό το άρθρο.
Δείτε άλλους πόρους

Symptoms

  • PFxM Appliance is using a custom-signed SSL certificate
  • Trying to deploy new Storage Only HCI nodes
  • Trying to expand a current Storage Only HCI Resource Group
  • Trying to upgrade a current Storage Only HCI Resource Group

Thin-deployer's deployment.log shows the following:

ERROR [2023-12-06T15:10:47.435192] 56708: service_deployment.rb:1858:in `process_ansible_errors': Error Message: No provider of '+nmon' found.
DEBUG [2023-12-06T15:10:47.435484] 56708: service_deployment.rb:1868:in `process_ansible_errors': errpr_desc = No provider of '+nmon' found.; additional_error_check = false

This error is pointing to the package nmon as not available. It could be any RPM package from the repository.

Thin-deployer's *.out file related to the nodes that are failing shows the following:

" - [|] Error trying to read from 'https://10.1.0.1/httpshare/download/8aaa812487be83780187be8d264c1aad/os/VxFlex4.0.1SLES15.3Repo/dellemc_ism'",
" - Download (curl) error for 'https://10.1.0.1/httpshare/download/8aaa812487be83780187be8d264c1aad/os/VxFlex4.0.1SLES15.3Repo/dellemc_ism/content':",
"Error code: Curl error 60",
"Error message: SSL certificate problem: unable to get issuer certificate",

The same issue is seen when using curl from the Storage Only/HCI nodes:

#curl https://10.1.1.1/httpshare/download/8aaa812487be83780187be8d264c1aad/os/VxFlex4.0.1SLES15.3Repo/dellemc_ism/content -o context.txt 
% Total  % Received  % Xferd  Average  Speed   Time      Time      Time      Current
                              Dload    Upload  Total     Spent     Left      Speed
0   0    0   0       0   0    0        0       --:--:--  --:--:--  --:--:--  0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html


Impact

New deployments and expansions or upgrades of Resource Groups are not successful.

Cause

When you replace the default SSL ingress certificate with a custom SSL certificate signed by an external CA, the nodes do not receive a copy of the new CA certificate. The operating system uses this CA certificate to verify and validate signed SSL certificates. If the operating system does not trust the new CA certificate, the repository download is rejected.

Resolution

For a SLES-based Storage Only HCI node:

  1. Copy the Entire root CA Chain certificate (PEM format) to  
    /etc/pki/trust/anchors/
  2. Run command:  
    update-ca-certificates

     

For a RHEL-based Storage Only HCI node:

  1. Copy the Entire root CA Chain certificate (PEM format) to  
    /etc/pki/ca-trust/source/anchors/
  2. Run command: 
     update-ca-trust

Entire Root CA Chain = root CA + intermediate CAs (if any)

 

Impacted versions:

PowerFlex Manager 4.x


Fixed version:

TBD

Επηρεαζόμενα προϊόντα

PowerFlex rack, PowerFlex Appliance, PowerFlex custom node, PowerFlex Software
Ιδιότητες άρθρου
Article Number: 000225096
Article Type: Solution
Τελευταία τροποποίηση: 30 Δεκ 2025
Version:  4
Βρείτε απαντήσεις στις ερωτήσεις σας από άλλους χρήστες της Dell
Υπηρεσίες υποστήριξης
Ελέγξτε αν η συσκευή σας καλύπτεται από τις Υπηρεσίες υποστήριξης.