topic Re: SSL certificate verify error: Peer certificate verification failed in Network Security

SSL certificate verify error: Peer certificate verification failed

johnlloyd_13 — Fri, 25 Mar 2022 13:33:16 GMT

hi,

i'm seeing this a lot in our NCS 540 router logs which shows SSL certificate error.

i don't see any issue with smart license as everything shows as 'authorized' and router can reach SCH cloud server.

i also don't use any SSL/TLS cert or PKI. is this normal or some kind of bug?

any other useful 'show' commands i could use or is this something needs to be raised to TAC?

RP/0/RP0/CPU0:Mar 25 05:54:38.382 UTC: http_client[208]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR_2_PARAM : SSL certificate verify error: Peer certificate verification failed - no trusted cert 'Crypto Engine' detected the 'warning' condition 'Invalid trustpoint or trustpoint not exist'

RP/0/RP0/CPU0:Mar 25 05:54:40.802 UTC: http_client[208]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR_2_PARAM : SSL certificate verify error: Peer certificate verification failed - no trusted cert 'Crypto Engine' detected the 'warning' condition 'Invalid trustpoint or trustpoint not exist'

RP/0/RP0/CPU0:Mar 25 05:54:53.199 UTC: http_client[208]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR_2_PARAM : SSL certificate verify error: Peer certificate verification failed - no trusted cert 'Crypto Engine' detected the 'warning' condition 'Invalid trustpoint or trustpoint not exist'

-----

RP/0/RP0/CPU0:NCS540#sh license status

Fri Mar 25 06:07:06.103 UTC

Smart Licensing is ENABLED

Utility:

Status: DISABLED

Data Privacy:

Sending Hostname: yes

Callhome hostname privacy: DISABLED

Smart Licensing hostname privacy: DISABLED

Version privacy: DISABLED

Transport:

Type: Callhome

Registration:

Status: REGISTERED

Smart Account: MY_ACCOUNT

Virtual Account: MY_VA

Export-Controlled Functionality: ALLOWED

Initial Registration: SUCCEEDED on Dec 22 2021 02:22:09 UTC

Last Renewal Attempt: None

Next Renewal Attempt: Jun 20 2022 02:22:10 UTC

Registration Expires: Dec 22 2022 02:17:06 UTC

License Authorization:

Status: AUTHORIZED on Mar 25 2022 06:06:51 UTC

Last Communication Attempt: PENDING on Mar 25 2022 06:06:51 UTC

Failure reason: Waiting for reply

Next Communication Attempt: Mar 26 2022 05:10:04 UTC

Communication Deadline: May 04 2022 06:53:46 UTC

Export Authorization Key:

Features Authorized:

<none>

Miscellaneus:

Custom Id: <empty>

-----

RP/0/RP0/CPU0:NCS540#ping vrf Mgmt-intf tools.cisco.com

Fri Mar 25 06:04:44.403 UTC

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 72.163.4.38, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 102/102/103 ms

RP/0/RP0/CPU0:NCS540#telnet vrf Mgmt-intf tools.cisco.com 80 source-interface MgmtEth0/RP0/CPU0/0

Trying tools.cisco.com(2001:420:1101:5::a)...

Use specified source interface(MgmtEth0_RP0_CPU0_0).

Global address not present, using link local address as source address

Not able to get link local addressCan't use MgmtEth0_RP0_CPU0_0 as source interface for IPv6.

Trying tools.cisco.com(173.37.145.8)...

Use specified source interface(MgmtEth0_RP0_CPU0_0).

Use 10.10.4.1 as local address.

Connected to tools.cisco.com.

Re: SSL certificate verify error: Peer certificate verification failed

balaji.bandi — Fri, 25 Mar 2022 13:58:50 GMT

Logs are genreated before time, but Register time show after that time, so i am thinking the device is registered ? or still issue.

how does your call home config look like :

source-interface XXXXXXX (if you using VRF interface ?)

also try :

(config)# crypto ca trustpool policy  
(config-trustpool)#crl optional

Re: SSL certificate verify error: Peer certificate verification failed

Marvin Rhoads — Fri, 25 Mar 2022 17:17:39 GMT

You might be affected by this field notice:

https://www.cisco.com/c/en/us/support/docs/field-notices/723/fn72323.html

You can add the new certificate as noted in the FN in order to resolve that potential issue.

Re: SSL certificate verify error: Peer certificate verification failed

johnlloyd_13 — Sat, 26 Mar 2022 01:29:21 GMT

hi balaji,

the device is REGISTERED per my initial post.

the call home config has the 'source-interface' and i can ping and telnet to SCH again per my initial post.

RP/0/RP0/CPU0:NCS540#sh run | b crypto ca

Fri Mar 25 07:01:41.650 UTC

Building configuration...

crypto ca trustpoint Trustpool

crl optional

RP/0/RP0/CPU0:NCS540#sh run call-home

Fri Mar 25 05:56:11.052 UTC

call-home

vrf Mgmt-intf

service active

contact smart-licensing

source-interface MgmtEth0/RP0/CPU0/0

profile CiscoTAC-1

active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination transport-method http

Re: SSL certificate verify error: Peer certificate verification failed

johnlloyd_13 — Sat, 26 Mar 2022 01:33:34 GMT

hi marvin,

thanks for this info! it's like the same bug i found on the expired cert:

https://bst.cisco.com/quickview/bug/CSCvx00476

will try to apply the work around. i'm just waiting and confirm TAC's response.