The PowerFlex gateway SSL certificate expires every 90 days causing the CSI Driver to fail.
Summary: The PowerFlex gateway Secure Sockets Layer (SSL) certificate expires every 90 days. This affects the Container Storage Interface (CSI) Driver for PowerFlex deployments that use this certificate. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
When the secret containing the certificate expires, it leads to deployment failures for the driver. The PowerFlex driver node pods and controller pods are in a "CrashLoopBackOff" state because they fail to verify the certificate. Users unable to do the provisioning.
Cause
This command gets the PowerFlex gateway certificate. However the PowerFlex gateway certificate expires every 90 days.
openssl s_client -showcerts -connect <Gateway IP:Port> </dev/null 2>/dev/null | openssl x509 -outform PEM > ca_cert_0.pem
Resolution
Workaround:
If users encounter issues accessing the driver due to an expired or revoked certificate, they can follow these steps to resolve the problem:
1. Update the certificate in secret using the following command:
These steps help ensure that the driver can establish secure connections with the server using the updated certificate.
If the secret has a PowerFlex gateway SSL certificate and the user wants to replace it with Platform Root Certificate of Authority (CA):
1. Obtain the certificate (Platform Root CA) using this command:
3. Then restart the driver by deleting the driver pods. All pods should be in running without any being in a "CrashLoopBackOff" state.
Resolution:
This issue is expected to be fixed in PowerFlex 4.6.x.
If users encounter issues accessing the driver due to an expired or revoked certificate, they can follow these steps to resolve the problem:
1. Update the certificate in secret using the following command:
kubectl create secret generic vxflexos-certs-0 -n vxflexos --from-file=cert-0=ca_cert_0.pem -o yaml --dry-run | kubectl replace -f -2. Restart the driver to ensure that the latest updated secret is used to validate the SSL certificate returned by the server.
These steps help ensure that the driver can establish secure connections with the server using the updated certificate.
If the secret has a PowerFlex gateway SSL certificate and the user wants to replace it with Platform Root Certificate of Authority (CA):
1. Obtain the certificate (Platform Root CA) using this command:
kubectl get secret -n powerflex ca-key-secret -o json -o=jsonpath="{.data.tls\.crt}" | base64 -d > ./pfmp_platform_ca.crt 2. Replace the secret.
3. Then restart the driver by deleting the driver pods. All pods should be in running without any being in a "CrashLoopBackOff" state.
Resolution:
This issue is expected to be fixed in PowerFlex 4.6.x.
Affected Products
PowerFlex appliance R640Products
PowerFlex rack, VxFlex Ready Nodes, PowerFlex custom node, PowerFlex appliance R650, PowerFlex appliance R6525, PowerFlex appliance R660, PowerFlex appliance R6625, Powerflex appliance R750, PowerFlex appliance R760, PowerFlex appliance R7625
, PowerFlex appliance R740XD, PowerFlex appliance R7525, PowerFlex appliance R840
...
Article Properties
Article Number: 000226935
Article Type: Solution
Last Modified: 08 Nov 2025
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.