Certificates are missing, expired, or invalid

Symptom

HPE SSMC displays an error message about a missing or invalid certificate.

Action

On the HPE SSMC main menu, select Remote Copy Configurations under DATA PROTECTION.
In the list pane, select the Peer Persistence or three data center Peer Persistence (3DC PP) configuration, and then select Actions > Manage Certificates.
Review the certificates under Existing Quorum Witness Certificates.
Verify that you have three certificates for each storage system:
- A self-signed rootCA for the qw-client
- A CA-signed cert for the qw-client
- A self-signed rootCA for the qw-server
Review the Expires on dates for each certificate and verify that no certificate expired.
If any certificates are missing or expired, correct the certificates:
- For qw-client certificates, repeat Importing the Quorum Witness client and server certificates.
- For the qw-server certificate, repeat Creating a CA-signed certificate for the Quorum Witness server.
If the problem persists, verify that the certificate bundles are on the Quorum Witness (QW) server.
1. Log in as the root user to the Quorum Witness server.
2. Confirm the cacert.pem and cert.pem files are in the /root directory. For example:
  ls -l /root
```
[root@vm1234 ~]# ls -l /root
total 12
-rw-r--r-- 1 root root 1290 May 23 09:39 cacert.pem
-rw-r--r-- 1 root root 4403 May 23 10:04 cert.pem
```
3. If a certificate bundle is missing, repeat Creating certificate bundles on the Quorum Witness server.
  Make sure that the cert.pem contains the following files:
  - {SYSTEM_QW}.key.pem
  - {SYSTEM_QW}_cert.pem
  - RootCA_cert.pem
4. If the certificate bundles are correct, go to the next step.

Restart Quorum Witness so that the Quorum Witness server uses the latest certificates in the /root directory.

Stop Quorum Witness.
systemctl stop qwserv
Start Quorum Witness.
systemctl start qwserv

Verify the status of the server.

systemctl status qwserv

● qwserv.service - Quorum Witness server daemon
   Loaded: loaded (/usr/lib/systemd/system/qwserv.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-05-23 10:16:07 MDT; 6 days ago
 Main PID: 52545 (qwserv)
   CGroup: /system.slice/qwserv.service
           ├─52545 /usr/local/bin/qwserv -c /usr/local/etc/cert.pem -ca /usr/...
           └─52546 /usr/local/bin/qwserv -c /usr/local/etc/cert.pem -ca /usr/...

Active: active (running) indicates the server has been restarted.