Troubleshooting issues with rotation of external CA-issued certificates
This topic provides troubleshooting information about the issues that are specific to rotation of external CA-issued certificates.
For more information on freeze mode, see the NetBackup Security and Encryption Guide.
Table:
Sr. No. | Issue | Possible reason | Resolution |
|---|---|---|---|
1 | Exception with message: "Cannot connect nbsl" Web service logs show the following log statement: Cannot retrieve hostName from system property | NetBackup Service Layer service might not be running. CLIENT_NAME or SERVER in bp.conf is not correct for the given primary server. | Check if the NetBackup Service Layer (NBSL) service is up and running. Later, increase verbosity, and retry the operations. Contact Cohesity technical support if the issue still persists. |
2 | Exception with error code 8752: "The requested operation is not supported for the NetBackup version of the remote host." Web service logs show the following log statement: ECA automatic host cert rotation is not allowed on FLEX-SCALE | The host for which certificates are being uploaded is Flex Scale deployment. The API is not supported for Flex Scale deployment. | Use the Flex Scale-specific methods to configure external CA-issued certificates. |
Web service logs show the following log statement: ECA automatic host cert rotation is not allowed on Cloudscale. | The host for which certificates are being uploaded is a Cloud Scale deployment. | External CA-issued certificates are not supported for host communication on Cloud Scale deployment, therefore the rotation of ECA certificates cannot be configured on a Cloud Scale setup. | |
3 | Exception with message: Invalid operation in the API request body. The operation is not supported or disabled. Web service logs show the following log statement: isValidNBUVersion : 0 | The host for which certificates are being uploaded is earlier than NetBackup 11.0 This API is not supported for earlier versions. | Renew the certificates manually for hosts earlier than 11.0. |
4 | Uploading ECA artifacts take 15-20 seconds and fails for NetBackup servers. Web service logs show the following log statement: Received exception while getting Container deployment type | If services of the host are down (or the bprd service is not running), only PEM files can be uploaded. For example: In case of clustered primary server, on an inactive node, the bprd process is not running. Therefore, only PEM files can be uploaded. In a case where non-PEM files are uploaded, NetBackup needs to connect to the host to check if the files are supported or not. This is valid for NetBackup servers only. | Start all the NetBackup services on the host and retry the upload operation. Ensure that the bprd service is also running. Else use PEM files as they are supported across all the types of deployments. |
5 | Renewal failed with error: Failed to retrieve external certificate artifacts from credential management system. Web service logs show the following log statement: Failed to fetch eca artifacts CMS credentials | Credentials management or database service may not be running. | Ensure that the credentials management and database services are up and running. Later, increase the verbosity. Contact Cohesity technical support if the issue still persists. |
6 | Renewal failed with error: Failed to process the data of external certificate artifacts during download. Web service logs show the following log statement: Failed to decode eca artifacts CMS credentials | Primary server has not sent base64 encoded data to the respective host. | Check if the NetBackup Service Layer (NBSL) service is up and running. Later, increase the verbosity. Contact Cohesity technical support if the issue still persists. |
7 | Renewal failed with error: Failed to save external certificate artifacts to the NetBackup temporary location. Web service logs show the following log statement: Writing ECA host artifacts operation failed | Unable to write uploaded artifacts at the NetBackup temporary location: Install_PATH/tmp | Ensure that the NetBackup services have the write permissions on the NetBackup temporary location Install_PATH/tmp |
8 | Renewal failed with error: Failed to validate external certificate enrollment Web service logs show the following log statement: ECA host certificate enrollment dry run failed Check Web Service logs as well. | Dry run of uploaded artifacts failed. Possible reasons:
|
|
9 | Renewal failed with error: Failed to validate external certificate enrollment. Web service logs show the following log statement: Failed to perform enroll certificate, with error code : 44 | The size of the certificate chain is more than 40 KB around. | Ensure that the certificate chain is not too big in size and is less than 40 KB. |
10 | Renewal failed with error: Failed to save external certificate artifacts to the NetBackup default location. Web service logs show the following log statement: Updating ECA host artifacts at final location operation got failed | Unable to write uploaded artifacts at the NetBackup-managed ECA artifacts location: | Ensure that NetBackup services have the 'write' permissions on the following NetBackup-managed ECA artifacts locations: Install_PATH/var/vxss/credentials/ecaartifacts For cacert: Install_PATH/var/vxss/ |
11 | Renewal failed with error: Failed to update the paths of external certificate artifacts in the NetBackup configuration files. Web service logs show the following log statement: New artifacts path update failed | Unable to update the NetBackup configuration files. For UNIX: bp.conf file For Windows: Registry | Check if NetBackup Service Layer (NBSL) service is up and running. Later, increase the verbosity. Contact Cohesity technical support if the issue still persists. |
12 | Renewal process is blocked at the validation phase. | It is possible that the CRL URLs are not accessible from the host and CRL check level was defined as LEAF/CHAIN while uploading certificates. | Ensure that the CRL URLs are accessible from the host. Else use the commands to set the CRL check level to DISABLE in the bp.conf configuration file. |
13 | After certificate rotation backup or backup from snapshot jobs are failing with error code: 5982 | The host is not able to verify connections using CRL. Possibly because the CRL URLs are not accessible from the host. | Ensure that the CRL URLs are accessible from the host. Else use the commands to set the CRL check level to DISABLE in the bp.conf configuration file. |