Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000193534


PowerScale: Google Certificates nearing expiration alerts

Summary: On December 15, 2021, there is a refresh to the Google certificate authority that we use within OneFS.

Article Content


Symptoms

As of November 15, 2021, OneFS alerts that Google Root certificates are expiring on December 15, 2021.   

CELOG alerts display: 
Certificate 'GoogleInternetAuthority_G3' in 'system_ca' store is nearing expiration: <Date/Time>.

This impacts the following Certificate Authorities: 
GoogleInternetAuthority_G4
GoogleTrustServices_CA_1O1
GoogleInternetAuthority_G3
GlobalSign-Root-R2
GoogleTrustServices_CA_1D2

Use the following command to see the expiring authorities: 
# isi certificate authority list | grep expir

When the CAs expire on December 15, 2021, CELOG will send a critical alert that the certificate has expired. This can be treated in the same manner as the above nearing expiration events.

Cause

This is due to a timestamp that Google has to refresh or renew in its root certificates. The CELOG warning alert is set to trigger one month ahead of expiration, and a critical alert may trigger at the time of expiration.  
 
These certificate authorities were used for Google CloudPools configurations, however all clusters alert for the expiring authority.

Resolution

The expiring certificate authorities (CA) are no longer being used by Google per the following release

Check if you are using a Google Cloud account: 
# isi cloud account list

If you are not using CloudPools in any way, or are using CloudPools with a service other than Google Cloud as your object store provider, then it is safe to remove these five certificates. 

If you are using Google Cloud as your Object Store provider and your cloud provider URI is "storage.googleapis.com", then it is safe to remove these five certificates. 
 
If you are using Google Cloud and it is using a URI other than "storage.googleapis.com", contact your object store provider to ensure they have updated the TLS certificates before removing the five expiring certificates from the cluster.


To remove the expiring CAs, use the following commands: 
# isi certificate authority delete GoogleInternetAuthority_G4
# isi certificate authority delete GoogleTrustServices_CA_1O1
# isi certificate authority delete GoogleInternetAuthority_G3
# isi certificate authority delete GlobalSign-Root-R2
# isi certificate authority delete GoogleTrustServices_CA_1D2
 

Article Properties


Affected Product

PowerScale OneFS

Last Published Date

19 Nov 2021

Version

5

Article Type

Solution

Rate This Article


Accurate
Useful
Easy to Understand
Was this article helpful?

0/3000 characters