Nimble snapshot integration - Failed to get certificate

[skrause]

So I am trying to setup snapshot integration with our Nimble arrays (CS3000 and HF40) and on every array I am getting the same "Failed to get certificate from <array address>" as soon as I click next on the credentials section of the add storage UI.

Port 5392 is open on our firewall and I am able to reach the web interface and the API interface on 5392 with no problems from the VBR server. I am also able to log in with the account I am using in the configuration. The arrays all use self-signed certificates but that was not an issue with adding vCenter so I assume that is not the issue.

This issue happens on all of our arrays. I even setup a new VBR VM on the same VLAN to bypass all firewalls and the issue still occurs.

Has anyone seen this before? Is there some configuration on the Nimble side I am missing to enable API access (I went through all the array settings and didn't see anything)? I have read through all of the integration guides I can find and all they say is that the account needs 'administrator' (or in some newer cases 'poweruser') access on the array.

I have a case open with support: 04886148

[HannesK]

Hello,
self-signed certificates work, I have them too. With "out of the box" settings it worked on several different systems for me. So I suggest to continue with support to find out what the issue is.

Best regards,
Hannes

[skrause]

Sigh. I guess this is just a case of me being cursed (again).

[skrause]

So I am thinking this is a cipher suite mismatch. All the documentation I can find from Nimble says it needs TLS 1.2 which should mean that the (tightened) cipher suite/protocol list we use SHOULD work, but when I do a simple Invoke-WebRequest in powershell command to the array I get:

Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.

Support so far has given me a couple of things to try around jumbo frames and removing/replacing the vNIC in the VBR server but neither have given me any love. I am going to try building a 2019 VM without changing the default TLS settings and see if I can get the Invoke-WebRequest command to make a connection, if that doesn't work then this is probably something I need to talk to HPE about.

[HannesK]

Sounds like a good guess. When I run Invoke-Webrequest against the Nimble here, then I get a proper answer (I have Server 2019 in my environment)

Code: Select all

Invoke-WebRequest -SkipCertificateCheck -URI https://nimble-xx.domain.local:5392

StatusCode        : 200
StatusDescription : OK
Content           : {"messages":[{"code":"SM_version","severity":"error","arguments":{"version":"v1"},"text":"API
                    version is v1."}]}
RawContent        : HTTP/1.1 200 OK
                    Connection: Keep-Alive
                    Date: Mon, 05 Jul 2021 07:23:24 GMT
                    Transfer-Encoding: chunked
                    Content-Type: application/json; charset=utf-8

                    {"messages":[{"code":"SM_version","severity":…
Headers           : {[Connection, System.String[]], [Date, System.String[]], [Transfer-Encoding, System.String[]],
                    [Content-Type, System.String[]]}
Images            : {}
InputFields       : {}
Links             : {}
RawContentLength  : 112
RelationLink      : {}

[skrause]

A "fresh from the ISO + windows updates" VM on the same VLAN as the array cannot connect either. :/

What NimbleOS build is your array on, Hannes?

[HannesK]

5.1.4.200-739124-opt is what I connect to

[skrause]

Ok, so maybe it is a "bug" in 5.2.1.700 then.

Though when I installed PowerShell 7 (to get the skipcertcheck flag which PSv5 apparently doesn't have) it worked as you show but without the cert check it says it fails for an "untrusted root".

I tried installing the root on the windows box last week but it didn't work. Guess I will try again.

[skrause]

So it was, indeed, a cipher suite mismatch. Our 2019 systems all are by default set to use ECDHE ciphers which Nimble is not supporting at this time.

TLS_RSA_WITH_AES_256_CBC_SHA256 is a cipher they support for TLS 1.2. Enable that puppy (and have the account created on the array) and everything works as in the Veeam instructions.

[HannesK]

thanks for posting the solution. Yes, that cipher suite issue makes sense to me.

[martintillbrook]

Hi Guys
I'm having this exact same problem.
When running Invoke-WeRequest against the Nimble, I get everything back with no problems.
I've checked and have the TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite installed/enabled but I'm still getting the same "Failed to get the certificate" error from Veeam.
I've checked by simply using telnet that I cna connect to the Nimble on port 5392.
For reference, my Nimble is brand new, just installed and running 5.2.1.800.

Anyone get any ideas?
Thanks

[skrause]

If you can connect via the commands listed above on 5392 or from a web browser then you might want to open a ticket with HPE. Their engineer and I were able to work through a number of things and he had access to the internal docs on what ciphers are supported which is not listed in any of the customer facing things on infosight.

[dubvice]

So it was, indeed, a cipher suite mismatch. Our 2019 systems all are by default set to use ECDHE ciphers which Nimble is not supporting at this time.

TLS_RSA_WITH_AES_256_CBC_SHA256 is a cipher they support for TLS 1.2. Enable that puppy (and have the account created on the array) and everything works as in the Veeam instructions.

I had used IIScrypto.exe from https://www.nartac.com/Products/IISCrypto to disable a lot of ciphers and things, ultimately found the above post and re-enabled TLS_RSA_WITH_AES_256_CBC_SHA256 and rebooted and now Veeam snapshot integration to our Nimble array is working again. thanks for posting skrause!

[Andreas Neufert]

Thanks for sharing this.