Skip to main content
Solved

S3 Compatible Storage Untrusted Certificate

  • 21 December 2021
  • 7 replies
  • 2867 views

Robert Horowski
Commvault Certified Expert
Forum|alt.badge.img+13

Hi!

 

I’m trying to add S3 Compatible Storage as a Cloud Library, but I get error:

 

3292  1194  12/20 10:31:44 ### [cvd] CVRFAMZS3::SendRequest() - Error: Error = 44037
3292  1194  12/20 10:31:48 ### [cvd] CURL error, CURLcode= 60, SSL peer certificate or SSH remote key was not OK

 

I already troubleshoot it and I was able to successfully add the storage as a Cloud Lib using “nCloudServerCertificateNameCheck” mentioned in another thread 

 (Thanks @Damian Andre ! )

 

The thing is that the provider has a valid certificate Issued by:

CN = R3
O = Let's Encrypt
C = US

with root cert:

CN = ISRG Root X1
O = Internet Security Research Group
C = US

So I am wondering if instead of ignoring all the possible certificates I could just add this one, valid certificate to Commvault so it trust this provider and allow me to configure DiskLib. Is this possible?

 

Also not sure it that’s related since certificate administration is not my cup of tea, but curl-ca-bundle.crt is dated to FEB 2016 on this MA which is a fresh install of 11.26.2.

Thanks!

Best answer by Robert Horowski

@Damian Andre I’ve been able to workaround this issue with this kb https://kb.commvault.com/article/59941

I’ve added ISG Root X1 certificate to curl-ca-bundle.crt on MediaAgent and on Commserve (so I can run DR backup to cloud lib without errors) set “nCloudServerCertificateNameCheck” to 1 and it seems to work, both AuxCopy and DRBackup to cloudlib works as expected.

Thanks!

View original
Did this answer your question?

7 replies

Damian Andre
Vaulter
Forum|alt.badge.img+23
  • Vaulter
  • 1235 replies
  • December 21, 2021

Likewise, certificates are not my strong point, but if you can make the machine trust the certificate (adding the root / cert) then theoretically you could disable the key. Its a system issue more so than a Commvault one - You should be able to use a browser to navigate to the service URL / port and see if accepts the certificate without errors as a quick test.


Robert Horowski
Commvault Certified Expert
Forum|alt.badge.img+13
  • Author
  • Commvault Certified Expert
  • 111 replies
  • December 21, 2021

Actually there is no issue with certificate in the browser, that’s why I thought it may be on the Commvault side.

 


Damian Andre
Vaulter
Forum|alt.badge.img+23
  • Vaulter
  • 1235 replies
  • December 21, 2021
Robert Horowski wrote:

Actually there is no issue with certificate in the browser, that’s why I thought it may be on the Commvault side.

 

Touché - interesting. If the local browser trusts it I would expect Commvault to as well. Did you install any certificate manually? I know there is a local and a user-specific certificate store, Commvault runs under the local system context so it might be untrusted by system but trusted by the user. I don’t recommend this in production but you could try start the services under your user account in a test environment and see if it helps to try troubleshoot.

Another possibility is if you have some sort of proxy in the environment being inherited by local system (group policy) which is causing an issue. Those are tricky to troubleshoot.


Robert Horowski
Commvault Certified Expert
Forum|alt.badge.img+13
  • Author
  • Commvault Certified Expert
  • 111 replies
  • December 21, 2021

It’s a test environment and it’s a fresh FR26 install so it’s all default. I don’t use proxy in my lab and I didn’t install any certificates, so it has to be something else.

As for running Commvault in user context I did the opposite and run my browser as system account ;-) Everything looks good though.

 


Robert Horowski
Commvault Certified Expert
Forum|alt.badge.img+13
  • Author
  • Commvault Certified Expert
  • 111 replies
  • Answer
  • December 21, 2021

@Damian Andre I’ve been able to workaround this issue with this kb https://kb.commvault.com/article/59941

I’ve added ISG Root X1 certificate to curl-ca-bundle.crt on MediaAgent and on Commserve (so I can run DR backup to cloud lib without errors) set “nCloudServerCertificateNameCheck” to 1 and it seems to work, both AuxCopy and DRBackup to cloudlib works as expected.

Thanks!


Damian Andre
Vaulter
Forum|alt.badge.img+23
  • Vaulter
  • 1235 replies
  • December 22, 2021

Awesome!

Appreciate the info. How did you run IE under the system context? you could do it in the past with psexec -i I think, but I thought MS patched that out.


Robert Horowski
Commvault Certified Expert
Forum|alt.badge.img+13
  • Author
  • Commvault Certified Expert
  • 111 replies
  • December 24, 2021

Hi @Damian Andre 

psexec still works pretty good on Windows 2019 :-)

 

Have a Merry Christmas and a happy new year!

 


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings