03-05-2018 01:06 PM - edited 03-01-2019 06:26 PM
We upgraded PI from 3.2 to 3.3. After reboot it fails during "ncs start" with the following error.
Error generating key java.security.KeyStoreException: Could not create new key
Could not generate RSA key for SSL
The launchout.log files shows this:
Starting Health Monitor as a primary Checking for Port 8082 availability... OK FQDN for Certificate CN is: *** can't find cisco-prime: no answer Generating RSA key
I *think* the below function is what is being run internally in PI when it fails.
Generate a public/private key pair and a self-signed certificate
I see the function takes the argument "-dname cn=myserver.mydomain.com" and according to launchout.log the Certificate CN is *** which doesn't match, so I think the function is throwing an error. We ran the command "ncs key listcacerts" which shows nothing.
Unfortunately I don't know enough about PI internals to know if i'm on the right path. Do I need to generate a new certificate, or am I lost on a wild goose chase here?
Solved! Go to Solution.
03-15-2018 05:41 PM
Hi,
Came across the exact same issue when upgrading PI 3.1 to 3.3
The command 'ncs key listcacerts' did not list anything as well.
I was able to fix this by generating a self-signed key manually before executing 'ncs start' again:
<hostname>/admin# ncs key listcacerts <hostname>/admin# <hostname>/admin# ncs key genkey -newdn Enter the fully qualified domain name of the server: <fqdn> Enter the name of your organizational unit: <any> Enter the name of your organization: <any> Enter the name of your city or locality: <any> Enter the name of your state or province: <any> Enter the two letter code for your country: <any> Do you need Subject Alternative Names in the certificate (yes/no)?: no Generating RSA key <hostname>/admin# ncs key listcacerts <hostname>/admin#
As you can see command 'ncs key listcacerts' still doesn't list anything.
However PI was able to start this time and is now working like a charm.
03-05-2018 10:13 PM
>
>FQDN for Certificate CN is: *** can't find cisco-prime: no answer
- What I notice is that this sentence does indeed not contain a FQDN but a singlet 'cisco-prime' ; is the network setup correct, DNS resolvers etc, and also is a domain specfied in the networking setup ?
M.
03-06-2018 06:03 AM
So I was wondering about that - do you know if PI works like IOS where a domain is required to generate the RSA key? Where PI is looking for the domain (ex. in a local host file, on DNS server, etc.)? How can we view the CN that PI is looking for in the certificate?
03-06-2018 07:14 AM
- A domain is required (indeed) and must be set in the running-config of Prime with the command
ip domain-name cisco-prime.your.domain (e.g.)
As this action was part of the upgrade process ; you may well have to try the upgrade again, but correct this first (the above). It may be possible to correct this manually but I am in doubt (check the link below) :
M.
03-06-2018 07:53 AM
We do have the "ip domain-name xxx.xxx" command in the start-up configuration.
03-06-2018 10:02 PM
- Check the DNS resolvers settings too and or where they functional and reachable during the upgrade ? If so , try the upgrade again and check wether this problem persists.
M.
03-15-2018 05:41 PM
Hi,
Came across the exact same issue when upgrading PI 3.1 to 3.3
The command 'ncs key listcacerts' did not list anything as well.
I was able to fix this by generating a self-signed key manually before executing 'ncs start' again:
<hostname>/admin# ncs key listcacerts <hostname>/admin# <hostname>/admin# ncs key genkey -newdn Enter the fully qualified domain name of the server: <fqdn> Enter the name of your organizational unit: <any> Enter the name of your organization: <any> Enter the name of your city or locality: <any> Enter the name of your state or province: <any> Enter the two letter code for your country: <any> Do you need Subject Alternative Names in the certificate (yes/no)?: no Generating RSA key <hostname>/admin# ncs key listcacerts <hostname>/admin#
As you can see command 'ncs key listcacerts' still doesn't list anything.
However PI was able to start this time and is now working like a charm.
08-22-2018 07:54 AM
I have same problem with upgrading from 3.0 to 3.2
For my case problem is resolved with generating of self signet certificate of cisco prime before execute command NCS start
Thank you.
09-01-2019 12:03 AM
Thanks, it's working for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide