Symptoms

The UI shows the cloud unit alert: Disconnected (SSL certificate format error). Logs contain: "The imported CA certificate of cloud provider s3_flexible referenced by cloud unit [CloudUnit] is unusable." sysadmin@datadomain# admin certificate show Subject Type Application Valid From Valid Until Fingerprint ------------------------------------- ------------- ----------- ------------------------ ------------------------ ----------------------------------------------------------- ... DigiCert TLS RSA SHA256 2020 CA1 imported-ca cloud Tue Apr 13 20:00:00 2021 Sun Apr 13 19:59:59 2031 1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD DigiCert Global Root CA imported-ca cloud Thu Nov 9 19:00:00 2006 Sun Nov 9 19:00:00 2031 A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36 ------------------------------------- ------------- ----------- ------------------------ ------------------------ ----------------------------------------------------------- Certificate signing request (CSR) exists at /ddvar/certificates/CertificateSigningRequest.csr Cloud Unit List --------------- Name Profile Status Reason ----------- ------------------- ------------ --------------------------- WasabiCloud WasabiCloud_profile Disconnected SSL bad certificate format. ----------- ------------------- ------------ --------------------------- ddfs.info 10/09 13:42:13.838932 [7fa84beea8c0] ERROR: CAL cl_request_convert_curlcode_to_err:1418 - Curl error: code:60 errno:110 uri:https://us-east-2.wasabisys.com/b584eebb7ebf1fac-8dacb8cdfdb8d2c6-d0/?prefix=/d1/3 &marker=/d1/37fd0a79/00000000247ac4aa/0000000000000000 10/09 13:42:13.838952 [7fa84beea8c0] ERROR: CAL cl_request_convert_curlcode_to_err:1430 - Curl error:SSL peer certificate or SSH remote key was not OK [60], DD errnum:5402, uri:https://us-east-2.wasabisys.com/b584eebb7ebf1fac-8dacb8cdfdb8d2c6-d0/?prefix=/d1/3&marker=/d1/37fd0a79/00000000247ac4aa/0000000000000000 date:Mon, 09 Oct 2023 17:42:13 GMT, bytes_sent:0, bytes_rcvd:0 10/09 13:42:13.838956 [7fa84beea8c0] INFO: CAL cl_conn_pool_update_counters:697 - Resetting clean_run_cnt:14 to 0, succ_cnt:1, err_cnt:1, req_cnt:3 10/09 13:42:13.838969 [7fa84beea8c0] ERROR: CAL cl_s3_list_object_op:723 - List objects ERROR 5402 SSL peer certificate or SSH remote key was not OK: prefix:/d1/3 marker:/d1/37fd0a79/00000000247ac4aa/0000000000000000 bucket:b584eebb7ebf1fac-8dacb8cdfdb8d2c6-d0 10/09 13:42:13.839005 [7fa84beea8c0] INFO: CAL cl_listobj_histogram_dump:586 - Cloud latency for list-obj op: prefix:/d1/3 bucket:b584eebb7ebf1fac-8dacb8cdfdb8d2c6-d0 op mean std-dev =5000ms total max min list-obj 598.054ms 732.947ms 0 7757 3175 318 282 91 11623 8945.000 158.000 10/09 13:42:13.839101 [7fa84beea8c0] ERROR: CAL cal_list_iterate:1550 - list_object returned error:SSL peer certificate or SSH remote key was not OK 10/09 13:42:13.839108 [7fa84beea8c0] INFO: CAL cal_cloudunit_set_unavail:1754 - Marking cloud unit:WasabiCloud as UNAVAILABLE with errno: 5402, errstr: Peer certificate cannot be authenticated with known CA certificates. 10/09 13:42:13.839110 [7fa84beea8c0] INFO: CAL cal_fetch_reason_from_io_err:5248 - Cloud unit unavail reason for err code 5402 updated to: SSL bad certificate format.

Cause

Wasabi now requires DigiCert Global Root G2 certificates instead of the previous DigiCert Global Root CA certificates.Customers should obtain the new certificate at the link below and add it to their systems.

Resolution

Download the certificate here (the second downloadable attachment):How do I obtain Wasabi's CA certificate for https support on a third-party application? Open the certificate in a text editor and add it to the Data Domain from the CLI with the command "adminaccess certificate import ca application cloud". Copy and paste it into the terminal, press CTRL+D to accept the input.Type "yes" to confirm,Run "adminaccess certificate show" to confirm the certificate has been uploaded correctly. Example: sysadmin@datadomain# adminaccess certificate import ca application cloud Enter the certificate and then press Control-D, or press Control-C to cancel. -----BEGIN CERTIFICATE----- MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI 2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx 1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV 5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY 1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4 NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91 8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl MrY= -----END CERTIFICATE----- The SHA1 fingerprint for the imported CA certificate is: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4 Do you want to import this certificate? (yes|no) [yes]: y CA certificate imported for application(s) : "cloud". sysadmin@datadomain# adminaccess certificate show Subject Type Application Valid From Valid Until Fingerprint -------------------------------- ------------- ----------- ------------------------ ------------------------ ----------------------------------------------------------- ... DigiCert Global Root G2 imported-ca cloud Thu Aug 1 05:00:00 2013 Fri Jan 15 04:00:00 2038 DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4 DigiCert TLS RSA SHA256 2020 CA1 imported-ca cloud Tue Apr 13 17:00:00 2021 Sun Apr 13 16:59:59 2031 1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD -------------------------------- ------------- ----------- ------------------------ ------------------------ ----------------------------------------------------------- Certificate signing request (CSR) exists at /ddvar/certificates/CertificateSigningRequest.csr

Support Cases