When configuring private cloud storage (for example, Pure Storage S3) with Commvault, certificate validation is required to establish secure communication between the MediaAgent and the storage system.
If the certificate is not configured correctly, you may encounter errors such as:
- SSL certificate validation failures
- Hostname mismatch errors
- Device controller unable to access storage
Example errors:
SSL: certificate subject name does not match target hostname
CURL error 60: SSL peer certificate or SSH remote key was not OK
These issues typically occur when:
- The certificate Common Name (CN) does not match the storage endpoint (IP address or FQDN).
- The certificate is not trusted by the MediaAgent.
- Required CA certificates are not configured.
Recommended Practices
- Use properly signed CA certificates or correctly generated self-signed certificates.
- Ensure that the certificate Common Name (CN) matches the storage endpoint.
- Configure certificates by using Additional Settings.
- Avoid manually modifying certificate bundle files whenever possible.
When to Use This Procedure
Use this procedure in the following situations:
- The device controller cannot access storage.
- Cloud library verification fails.
- SSL certificate mismatch errors are observed.
- You are configuring private cloud storage, such as Pure Storage S3.
- You are working in Air Gap, HyperScale Flex, or Cleanroom environments.
Important Notes
Certificate Hostname Matching
- The certificate must match the endpoint used by the storage configuration.
- If an IP address is used as the endpoint, the certificate Common Name (CN) must contain that IP address.
- If a hostname is used as the endpoint, the certificate Common Name (CN) must contain that hostname.
Multiple Service Host IP Addresses
If multiple service host IP addresses are configured:
- Use a single, consistent endpoint.
- Ensure that the certificate matches the selected endpoint.
- Avoid mixing IP addresses during certificate generation and configuration.
Prerequisites
- Access to the storage system (for example, the Pure Storage management interface).
- Access to the MediaAgent nodes.
- Root or administrative access on the MediaAgent.
- A valid root or intermediate CA certificate.
Procedure
Step 1: Generate a Certificate (If Required)
If the required certificate is unavailable or incorrect, generate a new certificate on the storage system.
Run the following commands:
openssl genrsa -out /usr/server.key 2048
openssl req -new -key /usr/server.key -out /home/server.csr
openssl x509 -req -in /home/server.csr -signkey /usr/server.key -out /home/server.crt -days 700
Step 2: Upload the Certificate to the Storage System
- Log on to the storage management interface.
- Navigate to Settings > Certificates.
- Upload the following files:
- Private key (
server.key) - Certificate (
server.crt)
Ensure that the certificate is generated by using the same IP address or hostname that is configured as the storage endpoint.
Step 3: Add the customCACertificate_1 setting
Add the customCACertificate_1 setting. For instructions, see Adding a CommCell Setting.
Step 4: Restart Commvault Services
Restart Commvault services on the MediaAgent:
commvault restart
Step 5: Verify Connectivity
Run the following command to verify certificate validation and connectivity:
openssl s_client -showcerts -servername <storage_ip_or_hostname> -connect <storage_ip_or_hostname>:443 -CAfile /var/opt/Commvault/InstanceXXX/appdata/certificates/cv-curl-ca-bundle.crt
Result
After completing these steps:
- The MediaAgent successfully validates the storage certificate.
- The device controller can access the storage.
- Backup and restore operations proceed normally.