Troubleshooting certificate errors

If you see a security or certificate issue when you try to connect to StorageGRID using a web browser or an S3 or Swift client, you should check the certificate.

About this task

Certificate errors can cause problems when you try to connect to StorageGRID using the Grid Manager, Grid Management API, the Tenant Manager, or the Tenant Management API, or when you try to connect with an S3 or Swift client.

If you are accessing the Grid Manager or Tenant Manager using a domain name instead of an IP address, the browser shows a certificate error without an option to bypass if either of the following occurs:
  • Your custom management interface server certificate expires.
  • You revert from a custom management interface server certificate to the default server certificate.
The following example shows a certificate error when the custom management interface server certificate expired:
Example certificate error
Note: To ensure that operations are not disrupted by a failed server certificate, the Expiration of server certificate for Management Interface alert and the legacy Management Interface Certificate Expiry (MCEP) alarm are both triggered when the server certificate is about to expire. As required, you can view the number of days until the current service certificate expires by selecting Support > Grid Topology > primary Admin Node > CMN > Resources.

Procedure

  1. Check if the certificate used for the connection has expired.
  2. Check the validity period of the certificate.
    Some web browsers and S3 or Swift clients do not accept certificates with a validity period greater than 825 days.
  3. Ensure that the Subject Alternative Name (SAN) of the certificate is populated, and that the SAN matches the IP address or host name of the node that you are connecting to.
  4. If you are attempting to connect to StorageGRID using a domain name and a certificate error appears, follow these steps:
    1. Enter the IP address of the Admin Node instead of the domain name to bypass the connection error and access the Grid Manager.
    2. From the Grid Manager, select Configuration > Server Certificate to install a new custom certificate or continue with the default certificate.
    3. In the instructions for administering StorageGRID, see the steps for configuring a custom server certificate for the Grid Manager and the Tenant Manager.