Hi
I have a problem with a Commvault LiveSync setup running with Rocky linux ver. 8.
When I am doing a test failover all is looking good.
But when I am trying to do a maintaince failover, the maintaince failover fails.
It is faillling under the recovery process on the standby node with the error saying “Failed to generate new CS client certificate”.
I have been trying to stop the selinux and firewall on both CS, and still are getting this error.
Does any have a idea on what is the problem?
Hi
The error “Failed to generate new CS client certificate” encountered during a maintenance failover in a CommServe LiveSync setup on Rocky Linux 8 generally indicates an issue related to passphrase retrieval, time synchronization, or network connectivity, rather than being limited to SELinux or firewall configurations. Below are some recommended steps to help troubleshoot and resolve this issue.
Please review the following log files for further details: Failover clients\CommServeLiveSync.log, TargetCS\CSRecoveryAssistant.log, CVD, Cvfwd.log
One of the most common causes of this error is that the passphrase has not been exported to all SQL clients participating in the LiveSync configuration. Kindly verify that the passphrase has been properly exported and that network connectivity between nodes is stable. If the issue persists after these checks, additional log analysis or escalation may be necessary.
When configuring LiveSync, it is required to export the passphrase to the SQL clients on all nodes, not only the CommServe client. If this step was missed, please export the passphrase to each SQL client by following these steps: In the CommCell Console, go to Control Panel > Security > Passphrase Management. Export the passphrase to the SQL client on both the production and standby nodes.
Additionally, please ensure that NTP is properly synchronized on both nodes, as even minor time drift can disrupt TLS operations. Confirm that both nodes resolve each other’s hostnames exactly as defined in the LiveSync and certificate configuration.
Review the CSRecoveryAssistant.log & CVD.log on the target CS for any failures related to CS client certificate generation due to time shift detection, such as: CvFwCtrlClnt::checkAndRotateCerts() - 0xEDDD0001:{CvFwCtrlClnt::forceRotateMyCerts(1588)/Int.1.0x1-Couldn't rotate certificate since time shift detected.}
If this message is observed, please verify whether the key isTimeShiftDetected is set to 1 on Target CS in the following file: /etc/CommVaultRegistry/Galaxy/Instance001/Cvd/.properties
If the value is set to 1, kindly change it to 0 and attempt the failover process again.
Regards,
Dheeraj
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
