#Duplicate server-chain error when trying to install SSL server certificate

1 messages · Page 1 of 1 (latest)

frozen kiln
#

I am trying to install an SSL server certifcate with my own CA root and intermediate certifcates for my lab environment (ontap simulator). I can install the certificate on the first run, but if I run my playbook again, I get the following error:

Error creating or installing certificate: {'message': 'Duplicate server-chain certificate entry found. Run "security certificate delete -type server-chain -vserver ontapsim -common-name "ontapsim" -ca "My Intermediate CA" -serial 04FA" to delete the duplicate entry. Run "security certificate show -vserver ontapsim" to view all certificates.', 'code': '3735673'}

My Playbook runs fine on older ONTAP versions like 9.6 or 9.7.

My task:

- name: Install SSL server certificate
  netapp.ontap.na_ontap_security_certificates:
    type: server
    common_name: '{{ cert.common_name }}'
    intermediate_certificates: '{{ cert.intermediate_certs }}'
    private_key: '{{ cert.private_key }}'
    public_certificate: '{{ cert.public_certificate }}'
    svm: '{{ cert.svm|default(omit) }}'

ONTAP versions: 9.8 and 9.12
Collection: 22.4.1 and 22.5.0

misty kite
#

hi! I think I got the same error, you need to omit the svm when installing on the admin vserver. Personally I did not manage to change the certificate (and asked on https://community.netapp.com/t5/Simulator-Discussions/changing-the-SSL-certificate-in-simulator/td-p/443356 )

changing the SSL certificate in simulator

Hi! I am ramping up on Ontap automation tooling and am checking how to automate the installation of certificates, starting with a simulator. I have been able to successfully install a certificate for an object store, leveraging the ansible module that works great.   However there is no way to change...

frozen kiln
#

Yes, that's it! If I remove the cluster name, it works.
I previously added some validations in my playbook and stored the cluster_name as default svm name.

misty kite
frozen kiln
#

Regarding your problem, I think you need to combine your last two commands like this:

test1::*> security ssl modify -vserver test1 -ca testca -serial 498E6EE12BF76EC3BF9E9F3899395552C6C91F3B -server-enabled true
misty kite
#

you managed to make it work?

#

I think I tried everything

frozen kiln
#

Yes, it works.
Installing was not the problem for me, only running my playbook again.

misty kite
#

on my side the problem persists when combining the 2 commands.

frozen kiln
#

I successfully tested this on an 9.12.1 sim CLI with an CA signed certificate (from my own testing CA with an additional intermediate certificate):

ontapsim912::> security certificate install -type server -vserver ontapsim912
ontapsim912::> ssl modify -server-enabled true -vserver ontapsim912 -serial 04FB -ca "My Intermediate CA"

Here are my other tasks from my role to activate the new certificate:
ZAPI```
- name: Get new SSL server certificate serial with ZAPI
netapp.ontap.na_ontap_zapit:
zapi:
security-certificate-get-iter:
query:
certificate-info:
type: server
public-certificate: '{{ cert.public_certificate }}'
register: cert_info
failed_when: cert_info.failed or cert_info.response['num-records']|int != 1
changed_when: False

- name: Assert only 1 record is retrieved (ZAPI)
  assert:
    that:
      - cert_info.response['num-records']|int == 1

- name: Set facts for SSL server certificate serial and ca (ZAPI)
  set_fact:
    cert_serial: '{{ cert_info.response["attributes-list"]["certificate-info"]["serial-number"] }}'
    cert_ca: '{{ cert_info.response["attributes-list"]["certificate-info"]["certificate-authority"] }}'

- name: Enable SSL certificate authentication for Web Server with ZAPI
  netapp.ontap.na_ontap_zapit:
    zapi:
      security-ssl-modify:
        server-authentication-enabled: true
        # vserver MUST be defined
        vserver: '{{ cert.svm }}'
        certificate-authority: '{{ cert_ca }}'
        certificate-serial-number: '{{ cert_serial }}'
  register: ontap
  changed_when: False

- name: Wait {{ timeout_s }} seconds for certificate installation to complete
  wait_for:
    timeout: '{{ timeout_s }}'
  delegate_to: localhost
#

REST

    - name: Get new SSL server certificate uuid with REST 
      # Requires ONTAP 9.8
      netapp.ontap.na_ontap_rest_info:
        gather_subset: security/certificates
        fields:
          - uuid
        parameters:
          type: server
          public_certificate: '{{ cert.public_certificate }}'
      register: cert_info

    - debug:
        var: cert_info
      tags: never,testpb

    - name: Assert only 1 record is retrieved (REST)
      assert:
        that:
          - cert_info.ontap_info['security/certificates'].num_records|int == 1

    - name: Set fact for SSL server certificate uuid (REST)
      set_fact:
        cert_uuid: '{{ cert_info.ontap_info["security/certificates"].records[0].uuid }}'

    - name: Enable SSL certificate authentication for Web Server with REST ({{ ontap_version }} > {{ last_ontapi_version }})
      # requires ONTAP 9.10
      # synchronous api call -> no waiting needed
      netapp.ontap.na_ontap_restit:
        api: cluster/web
        method: PATCH
        body:
          certificate:
            uuid: '{{ cert_uuid }}'
          enabled: true
        wait_for_completion: true
      register: result
      # so the api call won't always show changed
      changed_when: False

    - name: Assert new certificate has been activated
      assert:
        that: result.failed==false
        quiet: True
misty kite
#

out of curiosity, you run simulate with 1 or 2 nodes ? (I run with 1)

frozen kiln
#

this was on a 1 node sim