cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1611
Views
5
Helpful
2
Comments
Emmanuel Tychon
Cisco Employee
Cisco Employee

Symptoms

EFM broker connection to upstream EFM server is failing. You have confirmed that the IP connectivity to the destination port number (tcp/443 by default) is open, yet the connection does not establish from the EFM broker to the EFM server.

You have verified that both the broker and the server have their time synchronized.

Diagnosis

Upon log inspection you can see a message "Verification of certificate failed" and "X509 verification result: certificate has expired and depth 0". It might be that when the certificate was created your system time was not correct.

Solution

Log in to EFM server as user "efm", and enter the directory where the EFM server SSL certificate is stored:

 

cd /etc/cisco/kinetic/ssl/efm-server

 

Before generating new certificates, makes sure this is indeed the issue. Check your current certificate expiration date with:

openssl x509 -in selfsigned.cert -text | grep Not

 

First we need to generate a new server key, remember the passphrase used to encrypt that key:

openssl genrsa -des3 -out server.pass.key 2048

 

Remove the passphrase from that key:

openssl rsa -in server.pass.key -out selfsigned.key

 

Create a Certificate Signing Request:

openssl req -new -key selfsigned.key -out selfsigned.csr

 

Generate a new certificate using the CSR and key:

openssl x509 -req -sha256 -days 365 -in selfsigned.csr -signkey selfsigned.key -out selfsigned.cert

 

Check if your key is valid:

openssl rsa -in selfsigned.key -check

 

Check if your certificate is valid (pay attention to dates):

openssl x509 -in selfsigned.cert -text

 

Additional notes:

 

The dglux server (the Dart server) needs the certificate at (citing the default configuration in server.json)

 

 "certName": "/etc/cisco/kinetic/ssl/efm-server/selfsigned.cert",
 "certKeyName": "/etc/cisco/kinetic/ssl/efm-server/selfsigned.key",

 

From 1.6 on the connection should be made via the EFM manager (openresty). This has the certificates configured in file "/usr/local/openresty/nginx/conf/conf.d/efm-manager.conf" which contains:

 

  ssl_certificate /etc/cisco/kinetic/ssl/efm-manager/nginx-selfsigned.crt;
  ssl_certificate_key /etc/cisco/kinetic/ssl/efm-manager/nginx-selfsigned.key;

 

You may need to restart EFM server and broker to wipe out any remains of a previous cached certificate.

 

Comments
Thank you for clarifying the problem
cd /etc/cisco/kinetic/ssl/efm-server
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links