#x509 Error When adding Hosts to NAbox

Any one seen this error before when adding a host to NAbox? The NAbox is UTC time and the storage is set for it local US/Pacific time. All certs for storage and NAbox are current.

tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-05-21T20:03:30Z is after 2020-03-12T11:39:12Z. I can get it to add using Insecure TLS connection, but not what I prefer. Ma ny of the storage arrays certs don't expire until 2026. I'm running Harvest 25.05.0 & 4.0.10 NAbox.

@hollow grail

I would assume the ontap ssl certificate is old, are you sure about 2026 date of your certificates ?

Something has to be set for march 2020 somewhere

I'm going to do some digging today and check to see where the heck 2020 is being referenced and update my findings.

Well, I would have never thought the problem was a real expired cert, but after running "security certificate show -fields common-name,expiration,serial", it looks like the cert for the admin vserver has actually expired. I will fix and hopefully this will be resolved.

So I fixed the admin vserver certificate. But when I run "security certificate show -type server -vserver" there are still some dated certs for the SVM's. But the error I receive now is at least different - ": tls: failed to verify certificate: x509: certificate signed by unknown authority". It would seem that NAbox is looking at all certs as a chain and they ALL need to be for a future date???

The problem now though should not be expired certs and the ones for the SVM shouldn't have anything to do with the NAbox connection.

If I run "openssl s_client -connect clustername...com:443 -showcerts" from NAbox I see cert, intermediate and root ca files.

Ok, that's better, and it's normal.
If you want a valid TLS connection, ontap and nabox need to share a common CA in the configuration.
You can either install valid certificates signed by a valid CA in ONTAP, and add the CA in NAbox, you can also import ONTAP CA used to self signed the certificates into nabox

All certificates across the board are already CA signed. So you are saying you want me to import the ONTAP CA cert directly into NAbox? Not the root or intermediate, just the CA cert that was returned for ONTAP? I should do this via the GUI or CLI of NABox?

No, in that case, NAbox just needs to know about your enterprise root CA

in the UI under SSL

Yeah I gave it the rootCA already and still the same problem 😢

Well, let me be more specific. When I created the csr for NAbox I was given a cert, intermediate and root from my certificate authority I use. Now if you want me to just get a general rootCA from our provider that is not specifically included with NAbox certs, I can do that if that’s what you are now saying to do.

I think we're talking about two different things.
From what I understand, you generated a CSR for NAbox, and got your certificate chain back that you install. That takes care of TLS when you connect to NAbox web site, and you're not getting any warning in browser, web site has a valid TLS.
Now, if you did the same thing for ONTAP (create a CSR, send it to your CA and install the certificates you got back), it's all good as well and we're on the right track.
The piece that would be missing at this point, is to install the root CA in the "Root CA" section of NAbox SSL settings, even though you have the CA in the certificate chain you installed in the first tab, it is only used for the web server. You need to also install the root ca in SSL > Root CA

We are on the same page for sure. I did install the root CA in the NAbox SSL settings page. Since there is not much of a confirmation of any kind, I can only assume it worked. But the certificate chain I received back from my CA for NABox, I installed all certs returned, including the root CA in the SSL > Root CA section.

The root CA should have appeared in the list once installed

I'll check again, but then the question I figure is, if it doesn't, then what might be the next troubleshooting step?

I have already re-applied the certs via the GUI.

I got it working. I cleared all of the certs from the trust store and re-imported. Thanks!

One last thing, there is no workaround for netapp hosts that have certificates not issued with the full FQDN? Meaning the cert is issued against "storage" versus "storage.am.local". You add the host using the "storage.am.local" but the cert creation didn't use that common name, so the host add fails. SOmehting like "x509: certificate is not valid for any names, but wanted to match ....". It's easy enough to generate new storage certs using the full common name but just wanted to see if there is a workaround in NAbox to avoid that.

That would go in "Additional names" when generating the CSR in the UI

mm, sorry about that, you're talking about ontap

That how TLS works, certificates are generated for host name(s) that must be used to connect, you would have to either fix the certificate in ontap, or connect using the short name