09-09-2022 06:30 AM
Hi all
NBU Virtual Master server 4.1
Configure ECA for WEBUI, only
ecaHealtCheck - all items are valid but
(Ensuring that the host name is present in either SAN or CN)
LEAF_CERTIFICATE_X509_PURPOSES_VALIDATION FAIL
(Ensuring that the certificate can be used for intended purposes)
Cause of failure
----------------
Certificate cannot be used for the client because
of the following reasons:
Extended Key Usage (TLS Web Client Authentication)
is not present.
ECA is only for WEBUI. This message should be ignored ?! - https://www.veritas.com/support/en_US/article.100047175
Following ........
configure certificate is succesfull
nbcertcmd -getExternalCertDetails -certPath - ok - certtificate is valid
restart NBU/web services does not help - webui still use ICA certificate
vxsslcmd s_client -connect bck4:443 -showcerts
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Mountain View, O = Veritas Technologies LLC, OU = Appliance Solutions, CN = bck4.domain.uk
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Veritas Technologies LLC, OU = Appliance Solutions, CN = bck4.domain.uk
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Veritas Technologies LLC/OU=Appliance Solutions/CN=bck4.domain.uk
i:/C=US/ST=California/L=Mountain View/O=Veritas Technologies LLC/OU=Appliance Solutions/CN=bck4.domain.uk
-----BEGIN CERTIFICATE-----
check nbcertcmd -enrollCertificate
The following validations failed:
1. LEAF_CERTIFICATE_X509_PURPOSES_VALIDATION
Cause of failure
----------------
Certificate cannot be used for the client because
of the following reasons:
Extended Key Usage (TLS Web Client Authentication)
is not present.
My questions are:
1. Is not simply to create certificate with extended key. But ECA + WEBUI need not it ?
2. Any idea how call ECA certificate instead ICA ?
09-09-2022 08:07 AM - edited 09-09-2022 08:08 AM
Does your config pass the healthcheck? (KB article)
/usr/openv/netbackup/bin/nbcertcmd -ecahealthcheck
If healthcheck passed, do perform "CTRL+R" to refresh the browser cache for the login page. I recently renewed the WebUI certificates and when I went to the login page, it was still using the old one. Had to do Ctrl+R before it saw the new one.
09-11-2022 12:32 AM
Hi,
CTRL+R is not working. vxsslcmd s_client -connect bck4:443 -showcerts - it is condition for working of CTRL+R.
Petr