#How to renew self-signed AIQ cluster certificates?

I can see that our clusters are no longer "healthy" inside AIQ... the discovery failes. I can see that a AIQ certificate has been installed on the clusters in "Thrusted Certificate Auth", and it has since expired, which most likely is the cause... I tried to renew the certificate from the cluster which I cannot... so I deleted the expired certificate. I then tried to update the relationship in AIQ, and change the password of the polling user in the cluster.. when I change this in AIQ I am asked if I want to trust the selfsigned certificate of AIQ which I agree to.. but the certificate isn't re-installed on the cluster... so the discovery failes... I don't want to remove the cluster as I will most likely loose the historic data? Is there a way to install the certificate on the cluster?

A little update... We used a service account for this setup... and you might as well use the admin account because for unknown reasons the service account requires way too many rights... anyway we were unable to fix this with the service account, so we tried to change the user to the admin account.. and of cause it works with the admin user... we were then able to switch back to the service account again and continue without errors... very interresting 😉 AIQ have never been my favorite NetApp software package 😉

AIQ Server are sometimes really tricky to fix. Usually I open a case for issues like this…

Yes but only since they've introduced this abomination called Mutual TLS.
(Not that I don't understand the value but implementation-wise it has been absolut horror... ask anybody in NetApp support...)

Since this TLS rely on certificates that eventually expire... I wonder if AIQ is capable of sending an email alerting you that your certificate is about to expire?

UM has multiple certificates that can expire.

https://kb.netapp.com/data-mgmt/AIQUM/AIQUM_Kbs/What_certificates_does_AIQUM_use_what_is_impact_when_expired_and_how_to_regenerate

Alerting on Mutual TLS certificates

https://kb.netapp.com/data-mgmt/AIQUM/AIQUM_Kbs/How_to_setup_alerting_in_Active_IQ_Unified_Manager_when_Mutual_TLS_certificates_are_about_to_expire

Removing a cluster from Unified Manager will remove all of the history that UM has for it. It is not recommended as a troubleshooting step due to this.

Oh wow there's finally an overview of this. I remember creating excel sheets to get a grasp which kind of certs AIQUM creates and installs as which type.
The client type one for EMS was fun.

If you can't renew the MTLS certificate because it has already expired, there is a workaround. See solution 2.
https://kb.netapp.com/data-mgmt/AIQUM/AIQUM_Kbs/Cluster_acquisition_fails_in_AIQUM_due_to_expired_CA_certificate_for_Mutual_TLS_communication

Also when after updating to 9.14
(I think) and trying to enable mTLS for all the clusters didn't work at all. And all the NetApp guys always recommended is to manually disable mTLS via fancy SQL cmds.

9.12 introduced MTLS. 9.14 introduced the REST based collection also referred to as Cloud Agent.

Not sure if it's better now (9.16P2 fixed some important bugs also regarding CV integration) but really was no fun back then.

Ahh yes the infamous Cloud agent 😁

We also had this issue - resolution disable it in the database