CloudPools Account Create Failed, or CloudPools account is unreachable with message: clapi error: CL_SSL_CACERT

Trying to create a CloudPools account gets the following error:

Account Create Failed. The CloudPools account did not create due to the following error: Account validation failed to connect to remote server: clapi error: CL_SSL_CACERT; Peer certificate cannot be authenticated with known CA certificates.

The same error also appears after upgrade to OneFS 8.2, while viewing existing CloudPools accounts.

CloudPools account create fails with this error if the root certificates are not installed correctly. The same with intermediate self-signed certificates

If there is an upgrade to OneFs v8.2, this happens as a static list of certificates is migrated to the new store. This store does not include certificates that were installed (such as the ECS cert) on the system for CloudPools, and are not part of this list.

Follow the steps below to resolve the issue.

1. Run the following command to dump a list of certificates from the CloudPools server into a text file:

   openssl s_client -connect <cloudpool_server>:443 -showcerts -certform PEM > cert.txt

2. From cert.txt, the certificate components that are needed are between the lines that start with:
   -----BEGIN CERTIFICATE----- AND -----END CERTIFICATE-----

3. Copy the last certificate, as it should be the ROOT CA certificate from the signing authority. Copy and paste everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- into a new file called /ifs/.ifsvar/modules/cloud/cacert/<some_cloudpools_root_cert>.pem.

4. Change the directory to the location of the certificate.

   cd /ifs/.ifsvar/modules/cloud/cacert

5. Calculate the hash of the certificate file with the command:

   openssl x509 -hash -noout -in <some_cloudpools_root_cert>.pem

6. Create a symbolic link to the certificate using the output of the hash value command:

   ln -s <some_cloudpools_root_cert>.pem <hash_value>.suffix

   Note: <suffix> starts as 0. If there is a collision of existing symlink file name, then use the next number as suffix.

7. Go through the CloudPools Account and create the process again.

   If the version is OneFs 8.2 and later, proceed with the next steps as needed:

8. Run the certificate import command, when you stand at path "/ifs/.ifsvar/modules/cloud/cacert."

   Example:

   # ls -lh 94d536c0.0
   lrwxr-xr-x     1 root  wheel    39B Jun  3 10:35 94d536c0.0 -> cert_cloud account.pem
   # isi certificate authority import --certificate-path=cert_account-URI.pem --description="ECS CA" --name=ecs_cert

9. Find the ecs_cert added to the authorities list with the command:

   #isi certificate authority list

10. Restart isi_cpool_d service with the command:

    # isi services -a isi_cpool_d disable

    Wait for 30 seconds then run command:

    # isi services -a isi_cpool_d enable

11. Confirm that Cloud Account is reachable and that state is ok with command:

    # isi cloud accounts view <account-name>

If the admin enables SSL certificate validation when either creating an account or changing this option from 'skip' to 'not skip', the servers must have properly installed root certifications. Otherwise, CloudPools fail to connect to cloud providers, and a SSL_CACERT_ERROR is generated.

When an account is configured to do SSL certificate validation, validation is performed whenever CloudPools connects to the cloud provider of that account and the validation may fail. When that happens, a Cluster event log event like 1100000009 CPOOL_CERTIFICATE_ERROR is created.

If the storage service provider has installed a self-signed certificate, then it should also show up in the certificate chain when you connect to the server. Find the self-signed certificate, as it is the root certificate to authenticate the server.

Only root certificates are required to be preinstalled onto the CloudPools cluster. If the site deploys an SSL Proxy server, it may be necessary to get and install the intermediate certificates as well.

If the copy of the root certificate is in a format other than PEM encoded format, use the OpenSSL commands to do PEM conversion before installing it.