Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
3
Replies

Cisco aci leaf : check ssl certificate start date is in future date

ayoubas
Level 1
Level 1

‎02-19-2025 01:35 PM

Hello Cisco community,

I'm trying to discover a leaf but I got an error in the last check, which is ssl certificate:

 

 

Validity failed :  certificate check start date in the future Cisco 

 

When I checked the date of the leaf , it's not the right date, I tried to update the date in the leaf via bash and vsh using the commands :

Clock set ........

Date -s "..........*

 

And I tried to do it in the loader but it didn't works

 

Is there any workaround to resolve this issue ?

 

BR,

Labels:
0 Helpful
3 Replies 3

AshSe
VIP
VIP

‎02-20-2025 01:39 AM

Hello @ayoubas 

The issue you're encountering is related to the SSL certificate validation failing because the date on the leaf switch is incorrect. This can happen if the system clock on the device is not synchronized properly. Since you've already tried setting the date manually using clock setand date -s, and it didn't work, here are some additional steps and workarounds you can try:

1. Configure NTP via the APIC

The proper way to ensure the correct time on ACI leaf switches is to configure an NTP server in the APIC. This will propagate the correct time to all fabric nodes, including leaf switches.

Steps:

  1. Log in to the APIC GUI:

    • Open the APIC web interface in your browser.

  2. Navigate to the NTP Policy:

    • Go to Admin > Fabric Policies > Pod Policies > Policies > NTP Policy.

  3. Create or Edit an NTP Policy:

    • Click + to create a new NTP policy or edit an existing one.
    • Add the IP address or hostname of a reliable NTP server (e.g., pool.ntp.org or your organization's NTP server).
    • Save the policy.

  4. Associate the NTP Policy with the Fabric:

    • Navigate to Admin > Fabric Policies > Pod Policies > Pod Profile.
    • Select the pod profile for your fabric.
    • Under the NTP Policy section, select the NTP policy you just created.

  5. Verify NTP Synchronization:

    • Log in to the APIC CLI or leaf switch CLI and run:
      show ntp
       
    • Ensure the leaf switch is synchronized with the NTP server.

2. Manually Set the Date in the Loader (if NTP is not an option)

If NTP is not available and you cannot configure it via the APIC, you can try setting the date and time in the loader mode. This is a low-level method that can be used when the system clock is significantly out of sync.

Steps:

  1. Reboot the Leaf Switch:

    • During the boot process, interrupt the boot sequence to enter the loader prompt.

  2. Set the Date and Time in the Loader:

    • Use the following command to set the date and time:
      date MMDDhhmmYYYY
       
      For example, to set the date to February 20, 2025, at 10:30 AM:
      date 022010302025
       

  3. Boot the System:

    • After setting the date, continue the boot process.

  4. Verify the Date:

    • Once the system is up, log in and verify the date:
      show clock
       

3. Temporarily Disable SSL Certificate Validation

If you urgently need to proceed with the discovery process and cannot fix the date issue immediately, you can temporarily disable SSL certificate validation. This is not recommended for production environments but can be used as a temporary workaround.

Steps:

  1. Check the discovery tool or process you're using (e.g., Cisco APIC, ACI, etc.).

  2. Look for an option to disable SSL certificate validation (e.g., a checkbox or a command-line flag like --insecure or --no-check-certificate).

  3. Proceed with the discovery process.

  4. Once the discovery is complete, re-enable SSL certificate validation and fix the date issue to avoid future problems.

4. Check for Hardware Clock Issues

If the date and time are not being retained or cannot be set, there may be an issue with the hardware clock (RTC - Real-Time Clock) on the leaf switch.

Steps:

  1. Check the Hardware Clock:

    • Log in to the leaf switch CLI and run:
      show clock detail
       
      This will show whether the hardware clock is synchronized with the system clock.

  2. Synchronize the Hardware Clock:

    • If the hardware clock is out of sync, you can try synchronizing it with the system clock:
      clock update-calendar
       

  3. Verify the Date and Time:

    • Check the current date and time:
      show clock
       

5. Check for Software or Firmware Issues

If none of the above methods work, there may be a software or firmware issue causing the clock to malfunction. Check the following:

  1. Verify the Software Version:

    • Check the current software version running on the leaf switch:
      show version
       
    • Compare it with the latest version available on Cisco's support site.

  2. Upgrade the Software:

    • If you're running an outdated version, consider upgrading to the latest stable release.

Check for Known Bugs:

  • Search Cisco's bug tracker for any known issues related to the clock or SSL certificate validation.

Hope This Helps!!!

AshSe

Forum Tips: 

  1. Insert photos/images inline - don't attach.
  2. Always mark helpful and correct answers, it helps others find what they need.
  3. For a prompt reply, kindly tag @name. An email will be automatically sent to the member.
0 Helpful

ayoubas
Level 1
Level 1
In response to AshSe

‎02-20-2025 06:40 AM

Hello AshSe,

Thank you for your response.

This is a lab environment, and I don't have an NTP server available. All the commands you shared—whether in the loader, bash, or vsh—didn't work. I am using a virtual APIC running version 6.0(3e) on both the APIC and the Leaf.

Best regards,

0 Helpful

AshSe
VIP
VIP

‎02-25-2025 01:55 AM

Hello @ayoubas 

Try to set the date and time in the APIC GUI using:

  • System > System Settings > Date and Time

Good wishes!

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License