https://community.cisco.com/t5/cisco-catalyst-center/dna-center-appliance-no-longer-accepting-connections-via-http/m-p/4612544#M5436 <P>Hello,</P><P>&nbsp;</P><P>I was finally able to circle back around and get to this situation. All 3 commands, yielded output. The first command I ran from the maglev shell, the other two, from the bash shell.</P><P>&nbsp;</P><P>$ sudo maglev-config certs info<BR />--------------------------------------------------------------------------------<BR />certificate start date end date<BR />--------------------------------------------------------------------------------<BR />credentialmanager.pem May 12 21:03:59 2022 GMT May 12 21:03:59 2023 GM T<BR />kong.pem May 12 21:03:59 2022 GMT May 12 21:03:59 2023 GM T<BR />kube-worker-1.pem May 12 21:03:59 2022 GMT May 12 21:03:59 2023 GM T<BR />maglev-registry.pem May 12 21:03:59 2022 GMT May 12 21:03:59 2023 GM T<BR />apiserver.crt Dec 12 14:04:35 2019 GMT Feb 16 02:44:31 2023 GM T<BR />apiserver-kubelet-client.crt Dec 12 14:04:35 2019 GMT Feb 16 02:44:32 2023 GM T<BR />front-proxy-ca.crt Sep 3 02:27:53 2020 GMT Sep 1 02:27:53 2030 GM T<BR />front-proxy-client.crt Sep 3 02:27:53 2020 GMT Feb 16 02:44:32 2023 GM T<BR />admin.conf Dec 12 14:04:35 2019 GMT Feb 16 02:44:33 2023 GM T<BR />scheduler.conf Dec 12 14:04:35 2019 GMT Feb 16 02:44:33 2023 GM T<BR />controller-manager.conf Dec 12 14:04:35 2019 GMT Feb 16 02:44:34 2023 GM T<BR />--------------------------------------------------------------------------------</P><P>&nbsp;</P><P>&nbsp;</P><P>maglev@maglev-master-1:~$ for f in scheduler.conf controller-manager.conf admin.conf kubelet.conf; do echo "$f"; sudo awk -F ":" '/certificate-authority-data/ {print $2}' /etc/kubernetes/$f | tr -d ' ' |base64 -d | openssl x509 -noout -dates -issuer -issuer_hash;done<BR />scheduler.conf<BR />notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Sep 7 14:04:35 2022 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />controller-manager.conf<BR />notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Sep 7 14:04:35 2022 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />admin.conf<BR />notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Sep 7 14:04:35 2022 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />kubelet.conf<BR />notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Sep 7 14:04:35 2022 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />maglev@maglev-master-1:~$ for f in scheduler.conf controller-manager.conf admin.conf kubelet.conf; do echo "$f"; sudo awk -F ":" '/client-certificate-data/ {print $2}' /etc/kubernetes/$f | tr -d ' ' |base64 -d | openssl x509 -noout -dates -issuer -issuer_hash -subject;done<BR />scheduler.conf<BR />notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Feb 16 02:44:33 2023 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />subject= /CN=system:kube-scheduler<BR />controller-manager.conf<BR />notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Feb 16 02:44:34 2023 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />subject= /CN=system:kube-controller-manager<BR />admin.conf<BR />notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Feb 16 02:44:33 2023 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />subject= /O=system:masters/CN=kubernetes-admin<BR />kubelet.conf</P><P>notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Sep 3 02:27:55 2021 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />subject= /O=system:nodes/CN=system:node:10.1.253.50<BR /><A href="mailto:maglev@maglev-master-1:~$" target="_blank">maglev@maglev-master-1:~$</A></P><P>&nbsp;</P><P>It appears the second kubelet.conf cert may've expired?</P><P>&nbsp;</P><P>I will open a TAC Case. Thank you for having provided these helpful commands.</P><P>&nbsp;</P><P>Terry</P> Wed, 18 May 2022 17:49:46 GMT zachartl 2022-05-18T17:49:46Z https://community.cisco.com/t5/cisco-catalyst-center/dna-center-appliance-no-longer-accepting-connections-via-http/m-p/4607681#M5381 <P>Hello,</P><P>We've a DNA Center Appliance no longer accepting connections to the GUI Interface via HTTP/HTTPS. The CIMC Interface is reachable and so is the Maglev shell. I can access and use the maglev configuration wizard and I've tried using that to reinstantiate the configuration parameters but the configuration hangs on the kong certificate installation and aborts. I've queried the maglev package status and get this;</P><P>$ maglev package status<BR />ERROR: HTTPSConnectionPool(host='kong-frontend.maglev-system.svc.cluster.local', port=443): Max retries exceeded with url: /api/system/v1/catalog/package?allVer sions=false&amp;repository=main&amp;keepForever=false (Caused by NewConnectionError('&lt;ur llib3.connection.VerifiedHTTPSConnection object at 0x7fabaa5446d0&gt;: Failed to es tablish a new connection: [Errno -3] Temporary failure in name resolution',))</P><P>&nbsp;</P><P>I've ran this openssl command and get this repsonse;</P><P>$ echo | openssl s_client -showcerts -servername localhost - connect:443 2&gt;/dev/ null | openssl x509 -inform pem -noout -text<BR />unable to load certificate<BR />139899937572504:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c :701:Expecting: TRUSTED CERTIFICATE</P><P>&nbsp;</P><P>I'm thinking this a bad thing given the other support threads I've reviewed in relation to this symptom. Is there a way to get the data store off of this appliance if need be to either import into another DNA cluster or as a backup and then reimport the data store once the appliance is re-imaged, if it comes to that?</P><P>&nbsp;</P><P>Thank you!</P><P>Terry</P><P>&nbsp;</P> Tue, 10 May 2022 18:49:09 GMT https://community.cisco.com/t5/cisco-catalyst-center/dna-center-appliance-no-longer-accepting-connections-via-http/m-p/4607681#M5381 zachartl 2022-05-10T18:49:09Z https://community.cisco.com/t5/cisco-catalyst-center/dna-center-appliance-no-longer-accepting-connections-via-http/m-p/4608200#M5383 <P>Hi</P><P>&nbsp;Not long ago I worked with cisco TAC in a similar problem where DNAC was no longer respondiing HTTP/HTTPS and they restart service. The problem is, I dont remember which service.</P><P>&nbsp;I imagine that you already reload it.</P> Wed, 11 May 2022 13:12:45 GMT https://community.cisco.com/t5/cisco-catalyst-center/dna-center-appliance-no-longer-accepting-connections-via-http/m-p/4608200#M5383 Flavio Miranda 2022-05-11T13:12:45Z https://community.cisco.com/t5/cisco-catalyst-center/dna-center-appliance-no-longer-accepting-connections-via-http/m-p/4608235#M5385 <P>what DNAC version ? have you rebooted and tested ?</P> <P>&nbsp;</P> Wed, 11 May 2022 13:39:39 GMT https://community.cisco.com/t5/cisco-catalyst-center/dna-center-appliance-no-longer-accepting-connections-via-http/m-p/4608235#M5385 balaji.bandi 2022-05-11T13:39:39Z https://community.cisco.com/t5/cisco-catalyst-center/dna-center-appliance-no-longer-accepting-connections-via-http/m-p/4610222#M5405 <P>Most likely you have internal certificates that have expired or have lost a "symbolic link". Check the following three commands. If you see anything expired or the commands do not work, the only resolution is to open a case with Cisco TAC.</P> <P>sudo maglev-config certs info</P> <P>for f in scheduler.conf controller-manager.conf admin.conf kubelet.conf; do echo "$f"; sudo awk -F ":" '/certificate-authority-data/ {print $2}' /etc/kubernetes/$f | tr -d ' ' |base64 -d | openssl x509 -noout -dates -issuer -issuer_hash;done</P> <P>for f in scheduler.conf controller-manager.conf admin.conf kubelet.conf; do echo "$f"; sudo awk -F ":" '/client-certificate-data/ {print $2}' /etc/kubernetes/$f | tr -d ' ' |base64 -d | openssl x509 -noout -dates -issuer -issuer_hash -subject;done</P> <P>&nbsp;</P> Sat, 14 May 2022 16:10:12 GMT https://community.cisco.com/t5/cisco-catalyst-center/dna-center-appliance-no-longer-accepting-connections-via-http/m-p/4610222#M5405 edust 2022-05-14T16:10:12Z https://community.cisco.com/t5/cisco-catalyst-center/dna-center-appliance-no-longer-accepting-connections-via-http/m-p/4612544#M5436 <P>Hello,</P><P>&nbsp;</P><P>I was finally able to circle back around and get to this situation. All 3 commands, yielded output. The first command I ran from the maglev shell, the other two, from the bash shell.</P><P>&nbsp;</P><P>$ sudo maglev-config certs info<BR />--------------------------------------------------------------------------------<BR />certificate start date end date<BR />--------------------------------------------------------------------------------<BR />credentialmanager.pem May 12 21:03:59 2022 GMT May 12 21:03:59 2023 GM T<BR />kong.pem May 12 21:03:59 2022 GMT May 12 21:03:59 2023 GM T<BR />kube-worker-1.pem May 12 21:03:59 2022 GMT May 12 21:03:59 2023 GM T<BR />maglev-registry.pem May 12 21:03:59 2022 GMT May 12 21:03:59 2023 GM T<BR />apiserver.crt Dec 12 14:04:35 2019 GMT Feb 16 02:44:31 2023 GM T<BR />apiserver-kubelet-client.crt Dec 12 14:04:35 2019 GMT Feb 16 02:44:32 2023 GM T<BR />front-proxy-ca.crt Sep 3 02:27:53 2020 GMT Sep 1 02:27:53 2030 GM T<BR />front-proxy-client.crt Sep 3 02:27:53 2020 GMT Feb 16 02:44:32 2023 GM T<BR />admin.conf Dec 12 14:04:35 2019 GMT Feb 16 02:44:33 2023 GM T<BR />scheduler.conf Dec 12 14:04:35 2019 GMT Feb 16 02:44:33 2023 GM T<BR />controller-manager.conf Dec 12 14:04:35 2019 GMT Feb 16 02:44:34 2023 GM T<BR />--------------------------------------------------------------------------------</P><P>&nbsp;</P><P>&nbsp;</P><P>maglev@maglev-master-1:~$ for f in scheduler.conf controller-manager.conf admin.conf kubelet.conf; do echo "$f"; sudo awk -F ":" '/certificate-authority-data/ {print $2}' /etc/kubernetes/$f | tr -d ' ' |base64 -d | openssl x509 -noout -dates -issuer -issuer_hash;done<BR />scheduler.conf<BR />notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Sep 7 14:04:35 2022 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />controller-manager.conf<BR />notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Sep 7 14:04:35 2022 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />admin.conf<BR />notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Sep 7 14:04:35 2022 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />kubelet.conf<BR />notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Sep 7 14:04:35 2022 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />maglev@maglev-master-1:~$ for f in scheduler.conf controller-manager.conf admin.conf kubelet.conf; do echo "$f"; sudo awk -F ":" '/client-certificate-data/ {print $2}' /etc/kubernetes/$f | tr -d ' ' |base64 -d | openssl x509 -noout -dates -issuer -issuer_hash -subject;done<BR />scheduler.conf<BR />notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Feb 16 02:44:33 2023 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />subject= /CN=system:kube-scheduler<BR />controller-manager.conf<BR />notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Feb 16 02:44:34 2023 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />subject= /CN=system:kube-controller-manager<BR />admin.conf<BR />notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Feb 16 02:44:33 2023 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />subject= /O=system:masters/CN=kubernetes-admin<BR />kubelet.conf</P><P>notBefore=Dec 12 14:04:35 2019 GMT<BR />notAfter=Sep 3 02:27:55 2021 GMT<BR />issuer= /CN=kube-ca<BR />d43a9042<BR />subject= /O=system:nodes/CN=system:node:10.1.253.50<BR /><A href="mailto:maglev@maglev-master-1:~$" target="_blank">maglev@maglev-master-1:~$</A></P><P>&nbsp;</P><P>It appears the second kubelet.conf cert may've expired?</P><P>&nbsp;</P><P>I will open a TAC Case. Thank you for having provided these helpful commands.</P><P>&nbsp;</P><P>Terry</P> Wed, 18 May 2022 17:49:46 GMT https://community.cisco.com/t5/cisco-catalyst-center/dna-center-appliance-no-longer-accepting-connections-via-http/m-p/4612544#M5436 zachartl 2022-05-18T17:49:46Z