Speaking of certs....ONTAP 9.8 includes a new addition when doing the Certificate request...
SAN: Subject Alternative Names !

Now when doing the "security certificate generate" command, there are two new options:
-ip & -dns

For -ip you can add all your admin IP addresses (node mgmts, SPs, cluster admin) and all the DNS names (including all short names and FQDNs for all the admin interfaces).

--tmac

Tim McCarthy, Principal Consultant

Proud Member of the #NetAppATeam

I Blog at TMACsRack




On Sat, Aug 14, 2021 at 9:25 AM Philbert Rupkins <philbertrupkins@gmail.com> wrote:
Not preaching to the choir.   Duly noted - thank you for that note.
I recall something similar with expired vserver certs when we upgraded
from 9.1 to 9.3.

I am planning to use the latest P-release of both 9.5 and 9.7.   I
dont recall seeing anything related to the 9.3 -> 9.7 jump that
requires a specific P release, so going with the latest seems to make
the most sense.

Though I will admit, it has to be a P release that has been out for a
while.   I tend to avoid deploying P releases that have been out for
<1 month.   That's not a best practice or anything, just a safety net
of sorts that we've adopted as an IT organization.    The only
exception to that "rule" is if we're in a buggy release and a
just-released-patch includes a fix for a specific problem we're
experiencing.

Phil

On Fri, Aug 13, 2021 at 5:54 PM John Clear <jac@panix.com> wrote:
>
> I'm probably preaching to the choir here, but make sure you use
> 9.5P-latest or at least a recent P release.  That way, if you have
> to stop at the 9.5 hop for any reason, you are on a recent release.
>
> Also, there is a BURT in 9.5P5 and earlier that requires manual
> intervention to deal with expired certificates.  9.5P6 and later
> have the updated certs.
>
> https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1250500
>
> John
>
> On Fri, Aug 13, 2021 at 03:45:13PM -0500, Philbert Rupkins wrote:
> > Excellent!   Thanks for the responses.   Glad to hear this is a smooth
> > process.
> >
> > We've got two 6 node clusters  (each cluster = 3 HA pairs) to upgrade.
> > Snapmirror relationships between each cluster, no cascading to a third
> > cluster or anything like that.
> >
> > We've never performed a double ONTAP upgrade during a single
> > maintenance window so were a bit hesitant when we saw this upgrade
> > path.   This feedback helps alleviate my concerns, really appreciate
> > it.  I'll be sure to double the usual maintenance window to allow time
> > for both upgrades.
> >
> > Excited to get to 9.7.   I really wish 9.7 included the GA release of
> > ONTAP S3 but I suppose we'll just have to wait until we get to 9.8.
> >
> > Happy weekend everybody!
> > -Phil
> >
> > On Fri, Aug 13, 2021 at 2:46 PM Mitch Wright <mishigas@gmail.com> wrote:
> > >
> > > Philbert:
> > >
> > > We did this recently and the upgrade was smooth.
> > > Your understanding is correct, it upgrades to 9.5 and then 9.7, but otherwise is the typical process.
> > >
> > > On Fri, Aug 13, 2021 at 12:05 PM Philbert Rupkins <philbertrupkins@gmail.com> wrote:
> > >>
> > >> Hello Toasters,
> > >>
> > >> Anybody have experience, positive or negative,  upgrading from 9.3 to 9.7?
> > >>
> > >> It is a supported automated upgrade path but requires packages for
> > >> both 9.5 and 9.7.   My understanding is each node will be upgraded
> > >> twice (once to 9.5 then to 9.7) but otherwise should follow the
> > >> typical automated upgrade routine.
> > >>
> > >> Thank You
> > >> Phil
> > >> _______________________________________________
> > >> Toasters mailing list
> > >> Toasters@teaparty.net
> > >> https://www.teaparty.net/mailman/listinfo/toasters
> > _______________________________________________
> > Toasters mailing list
> > Toasters@teaparty.net
> > https://www.teaparty.net/mailman/listinfo/toasters
> >
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
https://www.teaparty.net/mailman/listinfo/toasters