Issues with NetBackup Certificate Authority (NBCA)
This section provides the issues and their respective workaround for the issues observed with NBCA.
The following error appears in the primary server pod nbcert logs when the certificate bundle upload to the NetBackup web services pod fails:
Failed to push cert bundle to WS pod
Invalid X-NBU-CERT-BUNDLE-SECRET
Failed to create tar buffer
Failed to compress bundle fileTo resolve this issue:
- Ensure that the NetBackup web services pod is running and is in a healthy state before retrying the certificate bundle upload.
- If the following error is reported in the nbcert logs, verify that the NetBackup operator is running and not reporting errors:
Invalid X-NBU-CERT-BUNDLE-SECRET
To regenerate the POST token, delete the secret using the following command:
kubectl delete secret nb-post-secret -n <namespace>
- Restart the primary server pod to trigger a retry of the certificate bundle upload.
- If the following errors are reported in the nbcert logs, verify that sufficient disk space is available on the primary server pod:
Failed to create tar buffer Failed to compress bundle file
After resolving any disk space issues, retry the certificate bundle push using the following command:
nbcertcmd -pushCertBundle
One or more standard NetBackup pods are unable to establish secure communication due to missing or outdated security certificates.
The following errors are reported in the nbcert logs of the secure‑comm container in media, bpdbm, ws, or policyjob pods:
x509: certificate signed by unknown authority
Invalid X-NBU-CERT-BUNDLE-SECRET
Failed to download certificate bundle from WS pod with error code
To resolve this issue:
- Check the primary server pod nbcert logs to confirm that the certificate bundle push completed successfully:
Successfully pushed cert bundle to WS pod
- On the affected pod, initiate an immediate certificate pull using the following command:
nbcertcmd -pullCertBundle
- If the Invalid X-NBU-CERT-BUNDLE-SECRET error is present in the nbcert logs, verify that the NetBackup operator is running and not reporting errors.
If the issue persists, delete the FETCH token secret to force regeneration by using the following command:
kubectl delete secret nb-fetch-secret -n <namespace>
- If the certificate issue continues, restart the affected pod to retry certificate retrieval.
- As a fallback, certificate retrieval is automatically retried every 4 hours.
A NetBackup pod does not complete startup and remains in a waiting state.
The following error message is displayed:
Waiting for secret files to be available
To resolve this issue:
- Ensure that the required Kubernetes secrets exist and are populated in the correct namespace:
kubectl get secret nb-post-secret nb-fetch-secret nb-ca-cert -n <namespace>
- Ensure that the nbatd pod is running.
- Restart the NetBackup operator to force secret reconciliation:
kubectl delete pod <netbackup-operator-pod> -n <operator-namespace>
- Restart the affected pod once secrets are available.
This issue occurs when the CA certificate is not populated in the Kubernetes nb-ca-cert secret.
To resolve this issue:
- Verify that the nbatd pod is running by using the following command:
kubectl get pods -n <namespace> | grep nbatd
- Verify that the required Kubernetes secret exists and is populated by using the following command:
kubectl get secret nb-ca-cert -n <namespace>
- Restart the NetBackup operator to trigger a retry of CA certificate extraction.
- Restart the affected pods after the CA certificate is successfully populated in the secret.
After a NetBackup upgrade or primary server failover, certificate-related errors as follows may be observed in the nbcert logs:
x509: certificate signed by unknown authority
Error: Failed to upload CA certificate bundle to CMS
touch file not foundTo resolve this issue:
- Push certificates again from the new primary server by using the following command:
nbcertcmd -pushCertBundle
- Restart the primary pod to reinitialize certificate distribution.
- Verify that certificate files no longer reference NFS paths.