ECS : Impossible de télécharger le certificat ECDSA
Summary: Un utilisateur qui tente de télécharger le certificat dans ECS reçoit l’erreur suivante : Erreurs « Failed to load the private key » OU « The provided key and certificate do not match ». ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
L’erreur suivante s’affiche lors du téléchargement d’un certificat signé par l’autorité de certification de gestion/données dans ECS à l’aide de l’outil de certificat ECS.
admin@ecsnode01:~/ecs_certificate_tool-1.6> python ecs_certificate_tool.py upload_certificate -c /home/admin/CER/Management/server.pem -p /home/admin/ecs_certificate_tool-1.6/generated_files/CKM0XXXX00120-management_private.key -m
ecs_certificate_tool v1.6
----------------------------------------------------------------------
Upload Certificate
----------------------------------------------------------------------
Authenticating using configured credentials..PASS
Reading certificate from: /home/admin/CER/Management/server.pem..DONE
Reading private key from: /home/admin/ecs_certificate_tool-1.6/generated_files/CKM0XXXX00120-management_private.key..DONE
Backing up existing certificate if needed..
Backed up existing certificate to : /home/admin/ecs_certificate_tool-1.6/certificate_backups/CKM0XXXX00120-management_2023-05-30-07-06-32.crt.backup
Uploading the certificate to ECS..Failed to upload certificate.
response: 999An unexpected error occurred, please check the ECS logs for more information
The provided key and certificate do not match
false headers: {'Date': 'Tue, 30 May 2023 07:06:34 GMT', 'Content-Length': '281', 'Content-Type': 'application/xml', 'Connection': 'keep-alive'}Cause
Un algorithme de clé publique et un algorithme de signature qui ne correspondent pas peuvent provoquer cette erreur.
Resolution
Vérifiez le certificat signé. Dans l’exemple suivant, l’algorithme de clé publique est RSA et l’algorithme de signature est ECDSA avec SHA512.
admin@ecsnode01:~/CER/Management> openssl x509 -text -noout -in server.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
51:89:4d:xx:a4:90:a6:a4:xx:c4:5f:xx:6d:43:ef:xx:78:91:f2:cc
Signature Algorithm: ecdsa-with-SHA512
Issuer: C=IN, ST=Bagmane, L=Bangalore, O=Dell Technologies, OU=AGI, CN=ecsnode.agi.dell.com.in/emailAddress=ecsnode@dell.com.in
Validity
Not Before: May 30 06:29:36 2023 GMT
Not After : May 28 06:29:36 2028 GMT
Subject: C=IN, ST=Bagmane, L=Bangalore, O=Dell Technologies, OU=AGI, CN=ecsnode.agi.dell.com.in/emailAddress=ecsnode@dell.com.in
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ce:e4:31:7d:b6:13:43:bc:99:59:ad:8e:99:ae:
b8:28:20:85:71:46:xx:a9:d5:17:e4:e7:2e:bb:b7:
76:4f:4f:0e:e3:xx:fe:af:2a:d8:68:c2:98:af:de:
a7:28:c0:9d:03:37:fb:a3:4a:0c:a1:24:a6:2f:2c:
9a:ff:e8:03:d9:47:bf:69:28:6f:3e:xx:81:ea:e5:
40:5b:68:fb:9f:c4:b2:67:f9:ea:7e:ea:67:95:91:
20:45:70:bb:f5:c9:b8:e0:7e:87:f8:29:13:fa:87:
40:8e:b8:2a:b5:f6:1c:c2:e0:a5:54:47:66:bf:54:
0e:a5:52:55:a4:2f:2e:48:49:45:ac:d9:08:86:0b:
10:42:77:b2:9d:59:77:62:xx:6f:9a:4b:ec:14:81:
7c:b4:a1:43:1e:53:f7:71:ae:35:9e:6f:af:d1:95:
fe:b4:53:dd:15:ad:e8:01:77:81:7b:1a:fa:16:e8:
d6:36:xx:db:e3:70:57:87:ac:6f:e7:b6:e6:25:e0:
01:3a:86:f9:28:e1:e2:aa:73:xx:ea:69:be:11:98:
3b:a1:c9:d1:c5:98:a6:66:66:91:36:ca:11:9d:40:
df:46:5c:4d:27:xx:80:99:f3:82:bf:6c:2e:ae:5a:
04:9b:10:3f:8b:04:e5:f6:30:ef:c0:9c:87:6f:82:
40:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:xx:DB:EF:4C:F4:xx:C3:2A:0E:2B:8C:50:xx:85:46:F2:A1:E2:E3:xx
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:ecsnode1.agi.dell.com.in, DNS:ecsnode2.agi.dell.com.in, DNS:ecsnode3.agi.dell.com.in, DNS:ecsnode4.agi.dell.com.in,DNS:ecsnode5.agi.dell.com.in, IP Address:10.xx.xx.01, IP Address:10.xx.xx.02, IP Address:10.xx.xx.03, IP Address:10.xx.xx.04, IP Address:10.xx.xx.05, IP Address:10.xx.xx.04
Signature Algorithm: ecdsa-with-SHA512
30:65:02:xx:00:f9:77:76:6c:24:9b:64:cd:e2:06:3d:70:22:
d3:85:c5:5b:63:21:54:c5:7d:5c:b5:ce:xx:ad:8c:54:3a:12:
f7:89:xx:bd:70:c6:69:3a:b0:c6:be:7c:88:3c:51:6e:f0:02:
30:5e:01:73:9c:b8:16:e6:7e:9b:9d:ab:xx:07:bb:3d:cd:7f:
94:da:fa:8c:xx:0f:3c:32:a3:93:32:da:63:6b:4c:e6:ff:f1:
2f:4e:2c:c9:9f:62:22:xx:ff:b7:a7:01:c9
Même si la CSR est signée par une autorité de certification avec l’algorithme ECDSA, la clé échoue lors de la tentative de téléchargement vers ECS.
admin@ecsnode1:~/ecs_certificate_tool-1.6> python ecs_certificate_tool.py upload_certificate -c CKMxxxxxxx048-management-ssc.crt -p CKMxxxxxxxx048-management_private.key -m
ecs_certificate_tool v1.6
----------------------------------------------------------------------
Upload Certificate
----------------------------------------------------------------------
Authenticating using configured credentials..PASS
Reading certificate from: CKMxxxxxxx048-management-ssc.crt..DONE
Reading private key from: CKMxxxxxxx048-management_private.key..DONE
Backing up existing certificate if needed..
Backed up existing certificate to : /home/admin/ecs_certificate_tool-1.6/certificate_backups/CKMxxxxxxx048-management_2023-06-17-08-39-27.crt.backup
Uploading the certificate to ECS..Failed to upload certificate.
response: 1008Invalid parameter
Failed to load the private key.
false headers: {'Date': 'Sat, 17 Jun 2023 08:39:29 GMT', 'Content-Length': '209', 'Content-Type': 'application/xml', 'Connection': 'keep-alive'} L’API de téléchargement de certificat attend une clé/certificat RSA. Par conséquent, la méthode ECDSA n’est pas prise en charge dans ECS.Affected Products
ECS, Elastic Cloud StorageArticle Properties
Article Number: 000216060
Article Type: Solution
Last Modified: 02 Oct 2023
Version: 2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.