Troubleshooting certificate errors

If you see a security or certificate issue when you try to connect to StorageGRID using a web browser, an S3 or Swift client, or an external monitoring tool, you should check the certificate.

About this task

Certificate errors can cause problems when you try to connect to StorageGRID using the Grid Manager, Grid Management API, Tenant Manager, or the Tenant Management API. Certificate errors can also occur when you try to connect with an S3 or Swift client or external monitoring tool.

If you are accessing the Grid Manager or Tenant Manager using a domain name instead of an IP address, the browser shows a certificate error without an option to bypass if either of the following occurs:
  • Your custom management interface server certificate expires.
  • You revert from a custom management interface server certificate to the default server certificate.
The following example shows a certificate error when the custom management interface server certificate expired:
Example certificate error

To ensure that operations are not disrupted by a failed server certificate, the Expiration of server certificate for Management Interface alert is triggered when the server certificate is about to expire.

When you are using client certificates for external Prometheus integration, certificate errors can be caused by the StorageGRID management interface server certificate or by client certificates. The Expiration of certificates configured on Client Certificates page alert is triggered when a client certificate is about to expire.

Procedure

  1. If you received an alert notification about an expired certificate, access the certificate details:
    • For a server certificate, select Configuration > Network Settings > Server Certificates.
    • For a client certificate, select Configuration > Access Control > Client Certificates.
  2. Check the validity period of the certificate.
    Some web browsers and S3 or Swift clients do not accept certificates with a validity period greater than 398 days.
  3. If the certificate has expired or will expire soon, upload or generate a new certificate.
    • For a server certificate, see the steps for configuring a custom server certificate for the Grid Manager and the Tenant Manager in the instructions for administering StorageGRID.
    • For a client certificate, see the steps for configuring a client certificate in the instructions for administering StorageGRID.
  4. For server certificate errors, try either or both of the following options:
    • Ensure that the Subject Alternative Name (SAN) of the certificate is populated, and that the SAN matches the IP address or host name of the node that you are connecting to.
    • If you are attempting to connect to StorageGRID using a domain name:
      1. Enter the IP address of the Admin Node instead of the domain name to bypass the connection error and access the Grid Manager.
      2. From the Grid Manager, select Configuration > Network Settings > Server Certificates to install a new custom certificate or continue with the default certificate.
      3. In the instructions for administering StorageGRID, see the steps for configuring a custom server certificate for the Grid Manager and the Tenant Manager.