Certificates are missing, expired, or invalid
HPE SSMC displays an error message about a missing or invalid certificate.
- On the HPE SSMC main menu, select Remote Copy Configurations under DATA PROTECTION.
- In the list pane, select the Peer Persistence or three data center Peer Persistence (3DC PP) configuration, and then select Actions > Manage Certificates.
- Review the certificates under Existing Quorum Witness Certificates.
-
Verify that you have three certificates for each storage system:
A self-signed
rootCA
for the qw-clientA CA-signed
cert
for the qw-clientA self-signed
rootCA
for the qw-server
- Review the Expires on dates for each certificate and verify that no certificate expired.
-
If any certificates are missing or expired, correct the certificates:
- For qw-client certificates, repeat Importing the Quorum Witness client and server certificates.
For the qw-server certificate, repeat Creating a CA-signed certificate for the Quorum Witness server.
-
If the problem persists, verify that the certificate bundles are on the
Quorum Witness (QW) server.
- Log in as the root user to the Quorum Witness server.
- Confirm the
cacert.pem
andcert.pem
files are in the/root
directory. For example:ls -l /root
[root@vm1234 ~]# ls -l /root total 12 -rw-r--r-- 1 root root 1290 May 23 09:39 cacert.pem -rw-r--r-- 1 root root 4403 May 23 10:04 cert.pem
- If a certificate bundle is missing, repeat
Creating certificate bundles on the
Quorum Witness server.
Make sure that the
cert.pem
contains the following files:{SYSTEM_QW}.key.pem
{SYSTEM_QW}_cert.pem
RootCA_cert.pem
- If the certificate bundles are correct, go to the next step.
-
Restart
Quorum Witness so that the
Quorum Witness server uses the latest certificates in the
/root
directory.- Stop
Quorum Witness.
systemctl stop qwserv
- Start
Quorum Witness.
systemctl start qwserv
- Verify the status of the server.
systemctl status qwserv
● qwserv.service - Quorum Witness server daemon Loaded: loaded (/usr/lib/systemd/system/qwserv.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2019-05-23 10:16:07 MDT; 6 days ago Main PID: 52545 (qwserv) CGroup: /system.slice/qwserv.service ├─52545 /usr/local/bin/qwserv -c /usr/local/etc/cert.pem -ca /usr/... └─52546 /usr/local/bin/qwserv -c /usr/local/etc/cert.pem -ca /usr/...
Active: active (running)
indicates the server has been restarted.
- Stop
Quorum Witness.