PowerFlex 4.x Deployment Fails With "SSL Certificate Problem: Unable To Get Issuer Certificate"

Summary: Deployment fails with the error message "SSL certificate problem: Unable to get an issuer certificate."

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Scenario

  • PFxM Appliance is using a custom-signed SSL certificate
  • Trying to deploy new Storage Only HCI nodes
  • Trying to expand a current Storage Only HCI Resource Group
  • Trying to upgrade a current Storage Only HCI Resource Group

Thin-deployer's deployment.log shows the following:

ERROR [2023-12-06T15:10:47.435192] 56708: service_deployment.rb:1858:in `process_ansible_errors': Error Message: No provider of '+nmon' found.
DEBUG [2023-12-06T15:10:47.435484] 56708: service_deployment.rb:1868:in `process_ansible_errors': errpr_desc = No provider of '+nmon' found.; additional_error_check = false

This error is pointing to the package nmon as not available. It could be any RPM package from the repository.

Thin-deployer's *.out file related to the nodes that are failing shows the following:

" - [|] Error trying to read from 'https://10.1.0.1/httpshare/download/8aaa812487be83780187be8d264c1aad/os/VxFlex4.0.1SLES15.3Repo/dellemc_ism'",
" - Download (curl) error for 'https://10.1.0.1/httpshare/download/8aaa812487be83780187be8d264c1aad/os/VxFlex4.0.1SLES15.3Repo/dellemc_ism/content':",
"Error code: Curl error 60",
"Error message: SSL certificate problem: unable to get issuer certificate",

The same issue is seen when using curl from the Storage Only/HCI nodes:

#curl https://10.1.1.1/httpshare/download/8aaa812487be83780187be8d264c1aad/os/VxFlex4.0.1SLES15.3Repo/dellemc_ism/content -o context.txt 
% Total  % Received  % Xferd  Average  Speed   Time      Time      Time      Current
                              Dload    Upload  Total     Spent     Left      Speed
0   0    0   0       0   0    0        0       --:--:--  --:--:--  --:--:--  0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html


Impact

New deployments and expansions or upgrades of Resource Groups are not successful.

Cause

When you replace the default SSL ingress certificate with a custom SSL certificate signed by an external CA, the nodes do not receive a copy of the new CA certificate. The operating system uses this CA certificate to verify and validate signed SSL certificates. If the operating system does not trust the new CA certificate, the repository download is rejected.

Resolution

Procedure:

For a SLES-based Storage Only HCI node:

  1. Copy the Entire root CA Chain certificate (PEM format) to  
    /etc/pki/trust/anchors/
  2. Run command:  
    update-ca-certificates

     

For a RHEL-based Storage Only HCI node:

  1. Copy the Entire root CA Chain certificate (PEM format) to  
    /etc/pki/ca-trust/source/anchors/
  2. Run command: 
     update-ca-trust

Entire root CA Chain = root CA + intermediate CAs (if any)
 

Impacted versions:

PowerFlex Manager 4.x


Fixed version:

TBD

Affected Products

PowerFlex rack, PowerFlex Appliance, PowerFlex custom node, PowerFlex Software
Article Properties
Article Number: 000225096
Article Type: Solution
Last Modified: 23 May 2025
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.