Solved

S3 Compatible Storage Untrusted Certificate

  • 21 December 2021
  • 7 replies
  • 2176 views

Userlevel 4
Badge +13

Hi!

 

I’m trying to add S3 Compatible Storage as a Cloud Library, but I get error:

 

3292  1194  12/20 10:31:44 ### [cvd] CVRFAMZS3::SendRequest() - Error: Error = 44037
3292  1194  12/20 10:31:48 ### [cvd] CURL error, CURLcode= 60, SSL peer certificate or SSH remote key was not OK

 

I already troubleshoot it and I was able to successfully add the storage as a Cloud Lib using “nCloudServerCertificateNameCheck” mentioned in another thread 

 (Thanks @Damian Andre ! )

 

The thing is that the provider has a valid certificate Issued by:

CN = R3
O = Let's Encrypt
C = US

with root cert:

CN = ISRG Root X1
O = Internet Security Research Group
C = US

So I am wondering if instead of ignoring all the possible certificates I could just add this one, valid certificate to Commvault so it trust this provider and allow me to configure DiskLib. Is this possible?

 

Also not sure it that’s related since certificate administration is not my cup of tea, but curl-ca-bundle.crt is dated to FEB 2016 on this MA which is a fresh install of 11.26.2.

Thanks!

icon

Best answer by Robert Horowski 21 December 2021, 15:25

View original

7 replies

Userlevel 7
Badge +23

Likewise, certificates are not my strong point, but if you can make the machine trust the certificate (adding the root / cert) then theoretically you could disable the key. Its a system issue more so than a Commvault one - You should be able to use a browser to navigate to the service URL / port and see if accepts the certificate without errors as a quick test.

Userlevel 4
Badge +13

Actually there is no issue with certificate in the browser, that’s why I thought it may be on the Commvault side.

 

Userlevel 7
Badge +23

Actually there is no issue with certificate in the browser, that’s why I thought it may be on the Commvault side.

 

Touché - interesting. If the local browser trusts it I would expect Commvault to as well. Did you install any certificate manually? I know there is a local and a user-specific certificate store, Commvault runs under the local system context so it might be untrusted by system but trusted by the user. I don’t recommend this in production but you could try start the services under your user account in a test environment and see if it helps to try troubleshoot.

Another possibility is if you have some sort of proxy in the environment being inherited by local system (group policy) which is causing an issue. Those are tricky to troubleshoot.

Userlevel 4
Badge +13

It’s a test environment and it’s a fresh FR26 install so it’s all default. I don’t use proxy in my lab and I didn’t install any certificates, so it has to be something else.

As for running Commvault in user context I did the opposite and run my browser as system account ;-) Everything looks good though.

 

Userlevel 4
Badge +13

@Damian Andre I’ve been able to workaround this issue with this kb https://kb.commvault.com/article/59941

I’ve added ISG Root X1 certificate to curl-ca-bundle.crt on MediaAgent and on Commserve (so I can run DR backup to cloud lib without errors) set “nCloudServerCertificateNameCheck” to 1 and it seems to work, both AuxCopy and DRBackup to cloudlib works as expected.

Thanks!

Userlevel 7
Badge +23

Awesome!

Appreciate the info. How did you run IE under the system context? you could do it in the past with psexec -i I think, but I thought MS patched that out.

Userlevel 4
Badge +13

Hi @Damian Andre 

psexec still works pretty good on Windows 2019 :-)

 

Have a Merry Christmas and a happy new year!

 

Reply