Solved: Re: PI fails after upgrade to 3.3 with error "Error generating key java.security.KeyStoreException: ...

esa_fresa · ‎03-05-2018

We upgraded PI from 3.2 to 3.3. After reboot it fails during "ncs start" with the following error.

Error generating key java.security.KeyStoreException: Could not create new key 
Could not generate RSA key for SSL

The launchout.log files shows this:

Starting Health Monitor as a primary
Checking for Port 8082 availability... OK
FQDN for Certificate CN is: *** can't find cisco-prime: no answer
Generating RSA key

I *think* the below function is what is being run internally in PI when it fails.

Generate a public/private key pair and a self-signed certificate

I see the function takes the argument "-dname cn=myserver.mydomain.com" and according to launchout.log the Certificate CN is *** which doesn't match, so I think the function is throwing an error. We ran the command "ncs key listcacerts" which shows nothing.

Unfortunately I don't know enough about PI internals to know if i'm on the right path. Do I need to generate a new certificate, or am I lost on a wild goose chase here?

bart.t · ‎03-15-2018

Hi,

Came across the exact same issue when upgrading PI 3.1 to 3.3

The command 'ncs key listcacerts' did not list anything as well.

I was able to fix this by generating a self-signed key manually before executing 'ncs start' again:

<hostname>/admin# ncs key listcacerts 
<hostname>/admin#
<hostname>/admin# ncs key genkey -newdn 
Enter the fully qualified domain name of the server: <fqdn>
Enter the name of your organizational unit: <any>  
Enter the name of your organization: <any> 
Enter the name of your city or locality: <any> 
Enter the name of your state or province: <any> 
Enter the two letter code for your country: <any> 
Do you need Subject Alternative Names in the certificate (yes/no)?: no
Generating RSA key
<hostname>/admin# ncs key listcacerts 
<hostname>/admin#

As you can see command 'ncs key listcacerts' still doesn't list anything.

However PI was able to start this time and is now working like a charm.

View solution in original post

marce1000 · ‎03-05-2018

>

>FQDN for Certificate CN is: *** can't find cisco-prime: no answer

- What I notice is that this sentence does indeed not contain a FQDN but a singlet 'cisco-prime' ; is the network setup correct, DNS resolvers etc, and also is a domain specfied in the networking setup ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

esa_fresa · ‎03-06-2018

So I was wondering about that - do you know if PI works like IOS where a domain is required to generate the RSA key? Where PI is looking for the domain (ex. in a local host file, on DNS server, etc.)? How can we view the CN that PI is looking for in the certificate?

marce1000 · ‎03-06-2018

- A domain is required (indeed) and must be set in the running-config of Prime with the command

ip domain-name cisco-prime.your.domain (e.g.)

As this action was part of the upgrade process ; you may well have to try the upgrade again, but correct this first (the above). It may be possible to correct this manually but I am in doubt (check the link below) :

https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/admin/guide/bk_CiscoPrimeInfastructure_3_2_AdminGuide/bk_CiscoPrimeInfastructure_3_2_AdminGuide_chapter_011.html#task_1157368

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

esa_fresa · ‎03-06-2018

We do have the "ip domain-name xxx.xxx" command in the start-up configuration.

marce1000 · ‎03-06-2018

- Check the DNS resolvers settings too and or where they functional and reachable during the upgrade ? If so , try the upgrade again and check wether this problem persists.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

bart.t · ‎03-15-2018

Hi,

Came across the exact same issue when upgrading PI 3.1 to 3.3

The command 'ncs key listcacerts' did not list anything as well.

I was able to fix this by generating a self-signed key manually before executing 'ncs start' again:

<hostname>/admin# ncs key listcacerts 
<hostname>/admin#
<hostname>/admin# ncs key genkey -newdn 
Enter the fully qualified domain name of the server: <fqdn>
Enter the name of your organizational unit: <any>  
Enter the name of your organization: <any> 
Enter the name of your city or locality: <any> 
Enter the name of your state or province: <any> 
Enter the two letter code for your country: <any> 
Do you need Subject Alternative Names in the certificate (yes/no)?: no
Generating RSA key
<hostname>/admin# ncs key listcacerts 
<hostname>/admin#

As you can see command 'ncs key listcacerts' still doesn't list anything.

However PI was able to start this time and is now working like a charm.

Svetlin Simeonov · ‎08-22-2018

I have same problem with upgrading from 3.0 to 3.2

For my case problem is resolved with generating of self signet certificate of cisco prime before execute command NCS start

Thank you.

IBRAHIM T.S ABUDEEB · ‎09-01-2019

Thanks, it's working for me.

PI fails after upgrade to 3.3 with error "Error generating key java.security.KeyStoreException: Could not create new key Could not generate RSA key for SSL"