Data Domain: Changes to Wasabi Cloud certificate requirements

Summary: This article explains how to fix Data Domain cloud tier hosted on Wasabi cloud storage disconnecting unexpectedly due to changes in certificate requirements.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

The UI shows the cloud unit alert:

Disconnected (SSL certificate format error).

Logs contain:

"The imported CA certificate of cloud provider s3_flexible referenced by cloud unit [CloudUnit] is unusable."
sysadmin@datadomain# admin certificate show

Subject                                 Type            Application   Valid From                 Valid Until                Fingerprint
-------------------------------------   -------------   -----------   ------------------------   ------------------------   -----------------------------------------------------------
...
DigiCert TLS RSA SHA256 2020 CA1        imported-ca     cloud         Tue Apr 13 20:00:00 2021   Sun Apr 13 19:59:59 2031   1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD
DigiCert Global Root CA                 imported-ca     cloud         Thu Nov  9 19:00:00 2006   Sun Nov  9 19:00:00 2031   A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
-------------------------------------   -------------   -----------   ------------------------   ------------------------   -----------------------------------------------------------
Certificate signing request (CSR) exists at /ddvar/certificates/CertificateSigningRequest.csr

Cloud Unit List
---------------
Name          Profile               Status         Reason                     
-----------   -------------------   ------------   ---------------------------
WasabiCloud   WasabiCloud_profile   Disconnected   SSL bad certificate format.
-----------   -------------------   ------------   ---------------------------

ddfs.info
10/09 13:42:13.838932 [7fa84beea8c0] ERROR: CAL cl_request_convert_curlcode_to_err:1418 - Curl error: code:60 errno:110 uri:https://us-east-2.wasabisys.com/b584eebb7ebf1fac-8dacb8cdfdb8d2c6-d0/?prefix=/d1/3
&marker=/d1/37fd0a79/00000000247ac4aa/0000000000000000
10/09 13:42:13.838952 [7fa84beea8c0] ERROR: CAL cl_request_convert_curlcode_to_err:1430 - Curl error:SSL peer certificate or SSH remote key was not OK [60], DD errnum:5402, uri:https://us-east-2.wasabisys.com/b584eebb7ebf1fac-8dacb8cdfdb8d2c6-d0/?prefix=/d1/3&marker=/d1/37fd0a79/00000000247ac4aa/0000000000000000 date:Mon, 09 Oct 2023 17:42:13 GMT, bytes_sent:0, bytes_rcvd:0
10/09 13:42:13.838956 [7fa84beea8c0] INFO: CAL cl_conn_pool_update_counters:697 - Resetting clean_run_cnt:14 to 0, succ_cnt:1, err_cnt:1, req_cnt:3
10/09 13:42:13.838969 [7fa84beea8c0] ERROR: CAL cl_s3_list_object_op:723 - List objects ERROR 5402 SSL peer certificate or SSH remote key was not OK: prefix:/d1/3 marker:/d1/37fd0a79/00000000247ac4aa/0000000000000000 bucket:b584eebb7ebf1fac-8dacb8cdfdb8d2c6-d0
10/09 13:42:13.839005 [7fa84beea8c0] INFO: CAL cl_listobj_histogram_dump:586 -
Cloud latency for list-obj op: prefix:/d1/3 bucket:b584eebb7ebf1fac-8dacb8cdfdb8d2c6-d0
        op                             mean      std-dev     <100ms     <500ms    <1000ms    <2000ms    <5000ms   >=5000ms      total        max        min
        list-obj                  598.054ms    732.947ms          0       7757       3175        318        282         91      11623   8945.000    158.000
10/09 13:42:13.839101 [7fa84beea8c0] ERROR: CAL cal_list_iterate:1550 - list_object returned error:SSL peer certificate or SSH remote key was not OK
10/09 13:42:13.839108 [7fa84beea8c0] INFO: CAL cal_cloudunit_set_unavail:1754 - Marking cloud unit:WasabiCloud as UNAVAILABLE with errno: 5402, errstr: Peer certificate cannot be authenticated with known CA certificates.
10/09 13:42:13.839110 [7fa84beea8c0] INFO: CAL cal_fetch_reason_from_io_err:5248 - Cloud unit unavail reason for err code 5402 updated to: SSL bad certificate format.

Cause

Wasabi now requires DigiCert Global Root G2 certificates instead of the previous DigiCert Global Root CA certificates.
Customers should obtain the new certificate at the link below and add it to their systems.

Resolution

Download the certificate here (the second downloadable attachment):
How do I obtain Wasabi's CA certificate for https support on a third-party application?This hyperlink is taking you to a website outside of Dell Technologies.

  1. Open the certificate in a text editor and add it to the Data Domain from the CLI with the command 
     "adminaccess certificate import ca application cloud".
  2. Copy and paste it into the terminal, press CTRL+D to accept the input.
  3. Type "yes" to confirm,
  4. Run 
    "adminaccess certificate show"
     to confirm the certificate has been uploaded correctly.

Example:

sysadmin@datadomain# adminaccess certificate import ca application cloud
Enter the certificate and then press Control-D, or press Control-C to cancel.
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
MrY=
-----END CERTIFICATE-----

The SHA1 fingerprint for the imported CA certificate is:
DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4

        Do you want to import this certificate? (yes|no) [yes]: y
CA certificate imported for application(s) : "cloud".
sysadmin@datadomain# adminaccess certificate show
Subject                            Type            Application   Valid From                 Valid Until                Fingerprint
--------------------------------   -------------   -----------   ------------------------   ------------------------   -----------------------------------------------------------
...
DigiCert Global Root G2            imported-ca     cloud         Thu Aug  1 05:00:00 2013   Fri Jan 15 04:00:00 2038   DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
DigiCert TLS RSA SHA256 2020 CA1   imported-ca     cloud         Tue Apr 13 17:00:00 2021   Sun Apr 13 16:59:59 2031   1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD
--------------------------------   -------------   -----------   ------------------------   ------------------------   -----------------------------------------------------------
Certificate signing request (CSR) exists at /ddvar/certificates/CertificateSigningRequest.csr

Affected Products

Data Domain, Data Domain, DD OS Licensed Features
Article Properties
Article Number: 000219319
Article Type: Solution
Last Modified: 04 Jan 2025
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.