Our scheduled Db2 backups to Cloud Object Storage started failing yesterday with an SSL certificate verification error. The backup command runs but fails during the upload phase with messages about certificate validation. We haven’t changed anything in our Db2 configuration recently. The error appears in the backup logs:
SSL certificate problem: unable to get local issuer certificate
ERROR: Failed to verify SSL certificate for endpoint
This is affecting our backup retention policy since we have no recent backups in COS. The Db2 instance is on IBM Cloud and we’re using the COS direct endpoint for backups. Has IBM updated something with COS certificates that would cause this?
I found the backup script - it’s using curl to upload to COS after creating the backup file locally. The curl command includes --cacert pointing to /etc/ssl/certs/ca-bundle.crt. Should I update this system-wide certificate bundle, or is there a COS-specific certificate I should be using instead?
For managed Db2 on IBM Cloud, you should still have access to update the system CA trust store. SSH into your Db2 instance and run update-ca-trust after downloading the latest CA bundle. However, there’s also a Db2-specific approach using the GSKit trust store that might be more appropriate for backup operations. Check your backup script to see which SSL library it’s using.
That would explain the timing. Our Db2 instance is managed by IBM Cloud, so I’m not sure how to update the CA certificates. Is this something I need to open a support ticket for, or can I handle it through the Db2 configuration? We’re running Db2 11.5 on RHEL 8.
I’ve resolved this exact issue for several customers. Here’s the complete fix:
For Db2 backup configuration, first verify your current CA bundle:
curl -v https://s3.direct.us-south.cloud-object-storage.appdomain.cloud
openssl s_client -connect s3.direct.us-south.cloud-object-storage.appdomain.cloud:443 -showcerts
Update the system CA certificates:
sudo yum update ca-certificates
sudo update-ca-trust force-enable
sudo update-ca-trust extract
For the COS endpoint certificate specifically, IBM Cloud COS uses DigiCert certificates. If the system update doesn’t resolve it, download and add the DigiCert root CA:
wget https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
sudo cp DigiCertGlobalRootCA.crt.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
For the trusted CA update in your Db2 backup context, modify your backup script to verify the certificate path:
db2 backup database MYDB to /backup/path
curl --cacert /etc/ssl/certs/ca-bundle.crt \
--upload-file /backup/path/MYDB.backup \
https://s3.direct.us-south.cloud-object-storage.appdomain.cloud/bucket/MYDB.backup
After updating the CA trust store, restart any Db2-related services that might cache SSL connections. Test the backup manually before relying on the scheduled job. The certificate verification should now succeed. This issue typically occurs when COS rotates to new certificate authorities - keeping your system CA bundle updated prevents these failures. Consider setting up automated CA certificate updates as part of your system maintenance to avoid this in the future.
IBM did roll out certificate updates for COS endpoints last week. The new certificates use a different certificate authority chain. If your Db2 system doesn’t have the updated CA certificates, it will fail SSL verification. You need to update the trusted CA store on your Db2 server.
Update the system CA bundle first - that’s the safest approach. Download the latest CA certificates from your OS repository: sudo yum update ca-certificates on RHEL. This updates the bundle that curl references. After updating, test the connection manually with curl -v https://s3.direct.us-south.cloud-object-storage.appdomain.cloud to verify SSL works. If you’re still having issues after the OS update, you might need to explicitly add IBM Cloud’s CA certificate to the trust store.