如何处理于 2021 年 3 月 23 日生效的 AWS S3 证书更改

Summary: AWS 将其 S3 服务器证书更改为由 Amazon Trust Services CA 颁发的证书。根据 AWS 通讯,此更改从 2021 年 3 月 23 日开始生效。此更改会影响配置了云层的 Data Domain 系统和部署在具有 ATOS(对象存储上的活动层)的 AWS 云平台上的 Data domain Virtual Edition (DDVE)。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

对于配置了云层的 Data Domain 系统,此证书更改会导致云设备处于断开连接状态:     
 
# alert show current
Id      Post Time                  Severity   Class   Object                     Message
-----   ------------------------   --------   -----   ------------------------   -------------------------------------------------------------------------
m0-76   Mon Apr 19 15:34:03 2021   CRITICAL   Cloud   CloudUnit=aws-unit   EVT-CLOUD-00001: Unable to access provider for cloud unit aws-unit.
-----   ------------------------   --------   -----   ------------------------   -------------------------------------------------------------------------
There is 1 active alert.

# cloud unit list
Name             Profile     Status
--------------   ---------   ------------
aws-unit            aws         Disconnected
--------------   ---------   ------------

或者

对于部署在具有 ATOS 的 AWS 上的 DDVE,文件系统将被禁用并显示以下警报消息:      
 
Alert History
-------------
Id      Post Time                  Clear Time                 Severity   Class               Object   Message
-----   ------------------------   ------------------------   --------   -----------------   ------   --------------------------------------------------------------------------------------
m0-26   Tue Apr  6 13:58:41 2021   Tue Apr  6 13:59:03 2021   ERROR      Filesystem                 EVT-FILESYS-00008: Filesystem has encountered an error and is restarting.
m0-27   Tue Apr  6 14:19:59 2021   Tue Apr  6 14:20:03 2021   ALERT      Filesystem                 EVT-FILESYS-00002: Problem is preventing filesystem from

Cause

AWS 将其 S3 服务器证书更改为由 Amazon Trust Services CA 颁发的证书。此更改从 2021 年 3 月 23 日开始生效。

要访问 S3 存储桶,系统需要新的 Starfield Class 2 Certification Authority rootCA 证书,而不是当前的 Baltimore CyberTrust Root 证书。

Resolution

以下步骤适用于配置了云层的 Data Domain 系统,以及部署在具有 ATOS 的 AWS 云平台上的 DDVE。

  1. 根据以下示例,检查系统当前是否正在将“Baltimore CyberTrust Root”用于云应用程序:      
 
sysadmin@dd01# adminaccess certificate show
Subject                     Type            Application   Valid From                 Valid Until                Fingerprint
-------------------------   -------------   -----------   ------------------------   ------------------------   -----------------------------------------------------------
dd01.example.com             host            https         Tue Mar 26 10:38:34 2019   Wed Jan 31 10:48:38 2024   30:78:FE:93:DF:2F:9D:B5:08:D7:EC:5E:9E:89:E2:BD:16:13:E1:BA
dd01.example.com             ca              trusted-ca    Wed Mar 27 17:38:34 2019   Wed Jan 31 10:16:38 2024   CB:9D:64:39:56:48:FB:58:C6:93:40:FB:29:91:56:9A:BD:08:7A:C8
dd01.example.com             imported-host   ddboost       Sat Jun 20 15:09:16 2020   Thu Jun 19 15:09:16 2025   12:DB:62:AA:E8:59:5B:E9:63:29:A0:DC:6B:63:B2:BB:E5:77:07:C6
avamar.example.com           imported-ca     login-auth    Fri Jun 19 17:25:13 2020   Wed Jun 18 17:25:13 2025   D8:03:BB:B0:31:C4:6D:E5:9E:14:92:A8:E2:36:99:3E:97:BB:31:25
avamar.example.com           imported-ca     ddboost       Fri Jun 19 17:25:13 2020   Wed Jun 18 17:25:13 2025   D8:03:BB:B0:31:C4:6D:E5:9E:14:92:A8:E2:36:99:3E:97:BB:31:25
Baltimore CyberTrust Root    imported-ca     cloud         Fri May 12 11:46:00 2000   Mon May 12 16:59:00 2025   D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
-------------------------   -------------   -----------   ------------------------   ------------------------   -----------------------------------------------------------
Certificate signing request (CSR) exists at /ddvar/certificates/CertificateSigningRequest.csr
  1. 从以下页面下载 Starfield Class 2 Certification Authority rootCA 证书 
  1. 将文件 sf-class2-root.crt 重命名为 sf-class2-root.pem(仅更改扩展名)。
 
文本描述将自动生成
 
  1. 使用 Data Domain System Manager GUI 导入证书。
  • 云设备:  “Data Management”>“File System”>“Cloud Units”>“Manage Certificates”>“Add”
  •  DDVE:“Administration”>“Access”>“MANAGE CA CERTIFICATES”>“+ Add”
  • 然后执行 CLI 步骤 2。(位于这些屏幕截图下方)
image.png

image.png
或者,从 CLI
  1. 使用 scp 或 sftp 方法将 sf-class2-root.pem 传输到 /ddr/var/certificates
  2. 导入证书
# adminaccess certificate import ca application cloud file sf-class2-root.pem
  • 注:此证书的主题可能在 GUI 或在“adminaccess certificate show”输出中显示为空,这可以忽略(除了空显示以外没有功能问题)。
 
sysadmin@dd01# adminaccess certificate show
Subject                     Type            Application   Valid From                 Valid Until                Fingerprint
-------------------------   -------------   -----------   ------------------------   ------------------------   -----------------------------------------------------------
dd01.example.com             host            https         Tue Mar 26 10:38:34 2019   Wed Jan 31 10:48:38 2024   30:78:FE:93:DF:2F:9D:B5:08:D7:EC:5E:9E:89:E2:BD:16:13:E1:BA
dd01.example.com             ca              trusted-ca    Wed Mar 27 17:38:34 2019   Wed Jan 31 10:16:38 2024   CB:9D:64:39:56:48:FB:58:C6:93:40:FB:29:91:56:9A:BD:08:7A:C8
dd01.example.com             imported-host   ddboost       Sat Jun 20 15:09:16 2020   Thu Jun 19 15:09:16 2025   12:DB:62:AA:E8:59:5B:E9:63:29:A0:DC:6B:63:B2:BB:E5:77:07:C6
avamar.example.com           imported-ca     login-auth    Fri Jun 19 17:25:13 2020   Wed Jun 18 17:25:13 2025   D8:03:BB:B0:31:C4:6D:E5:9E:14:92:A8:E2:36:99:3E:97:BB:31:25
avamar.example.com           imported-ca     ddboost       Fri Jun 19 17:25:13 2020   Wed Jun 18 17:25:13 2025   D8:03:BB:B0:31:C4:6D:E5:9E:14:92:A8:E2:36:99:3E:97:BB:31:25
Baltimore CyberTrust Root    imported-ca     cloud         Fri May 12 11:46:00 2000   Mon May 12 16:59:00 2025   D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
-                           imported-ca     cloud         Tue Jun 29 10:39:16 2004   Thu Jun 29 10:39:16 2034   AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A
-------------------------   -------------   -----------   ------------------------   ------------------------   -----------------------------------------------------------
Certificate signing request (CSR) exists at /ddvar/certificates/CertificateSigningRequest.csr
  • 请勿删除旧的“Baltimore CyberTrust Root”证书。在某些情况下,我们发现 AWS 会恢复为 Baltimore 证书。
  • 将其与新的 Starfield 证书一起保留。
 

Affected Products

Data Domain, PowerProtect Data Protection Software
Article Properties
Article Number: 000184415
Article Type: Solution
Last Modified: 22 Aug 2022
Version:  13
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.