Certificates are missing, expired, or invalid


HPE SSMC displays an error message about a missing or invalid certificate.

  1. On the HPE SSMC main menu, select Remote Copy Configurations under DATA PROTECTION.
  2. In the list pane, select the Peer Persistence or three data center Peer Persistence (3DC PP) configuration, and then select Actions > Manage Certificates.
  3. Review the certificates under Existing Quorum Witness Certificates.
  4. Verify that you have three certificates for each storage system:
    • A self-signed rootCA for the qw-client

    • A CA-signed cert for the qw-client

    • A self-signed rootCA for the qw-server

  5. Review the Expires on dates for each certificate and verify that no certificate expired.
  6. If any certificates are missing or expired, correct the certificates:
  7. If the problem persists, verify that the certificate bundles are on the Quorum Witness (QW) server.
    1. Log in as the root user to the Quorum Witness server.
    2. Confirm the cacert.pem and cert.pem files are in the /root directory. For example:
      ls -l /root
      [root@vm1234 ~]# ls -l /root
      total 12
      -rw-r--r-- 1 root root 1290 May 23 09:39 cacert.pem
      -rw-r--r-- 1 root root 4403 May 23 10:04 cert.pem
    3. If a certificate bundle is missing, repeat Creating certificate bundles on the Quorum Witness server.
      Make sure that the cert.pem contains the following files:
      • {SYSTEM_QW}.key.pem

      • {SYSTEM_QW}_cert.pem

      • RootCA_cert.pem

    4. If the certificate bundles are correct, go to the next step.
  8. Restart Quorum Witness so that the Quorum Witness server uses the latest certificates in the /root directory.
    1. Stop Quorum Witness.
      systemctl stop qwserv
    2. Start Quorum Witness.
      systemctl start qwserv
    3. Verify the status of the server.
      systemctl status qwserv
      ● qwserv.service - Quorum Witness server daemon
         Loaded: loaded (/usr/lib/systemd/system/qwserv.service; enabled; vendor preset: disabled)
         Active: active (running) since Thu 2019-05-23 10:16:07 MDT; 6 days ago
       Main PID: 52545 (qwserv)
         CGroup: /system.slice/qwserv.service
                 ├─52545 /usr/local/bin/qwserv -c /usr/local/etc/cert.pem -ca /usr/...
                 └─52546 /usr/local/bin/qwserv -c /usr/local/etc/cert.pem -ca /usr/...

      Active: active (running) indicates the server has been restarted.