Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6148
Views
10
Helpful
4
Replies

SSL certificate verify error: Peer certificate verification failed

johnlloyd_13
Level 9
Level 9

‎03-25-2022 06:33 AM

hi,

i'm seeing this a lot in our NCS 540 router logs which shows SSL certificate error.

i don't see any issue with smart license as everything shows as 'authorized' and router can reach SCH cloud server.

i also don't use any SSL/TLS cert or PKI. is this normal or some kind of bug?

any other useful 'show' commands i could use or is this something needs to be raised to TAC?

 

RP/0/RP0/CPU0:Mar 25 05:54:38.382 UTC: http_client[208]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR_2_PARAM : SSL certificate verify error: Peer certificate verification failed - no trusted cert 'Crypto Engine' detected the 'warning' condition 'Invalid trustpoint or trustpoint not exist'

RP/0/RP0/CPU0:Mar 25 05:54:40.802 UTC: http_client[208]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR_2_PARAM : SSL certificate verify error: Peer certificate verification failed - no trusted cert 'Crypto Engine' detected the 'warning' condition 'Invalid trustpoint or trustpoint not exist'

RP/0/RP0/CPU0:Mar 25 05:54:53.199 UTC: http_client[208]: %SECURITY-XR_SSL-3-CERT_VERIFY_ERR_2_PARAM : SSL certificate verify error: Peer certificate verification failed - no trusted cert 'Crypto Engine' detected the 'warning' condition 'Invalid trustpoint or trustpoint not exist'

 

-----

 

RP/0/RP0/CPU0:NCS540#sh license status

Fri Mar 25 06:07:06.103 UTC

 

Smart Licensing is ENABLED

 

Utility:

  Status: DISABLED

 

Data Privacy:

  Sending Hostname: yes

    Callhome hostname privacy: DISABLED

    Smart Licensing hostname privacy: DISABLED

  Version privacy: DISABLED

 

Transport:

  Type: Callhome

 

Registration:

  Status: REGISTERED

  Smart Account: MY_ACCOUNT

  Virtual Account: MY_VA

  Export-Controlled Functionality: ALLOWED

  Initial Registration: SUCCEEDED on Dec 22 2021 02:22:09 UTC

  Last Renewal Attempt: None

  Next Renewal Attempt: Jun 20 2022 02:22:10 UTC

  Registration Expires: Dec 22 2022 02:17:06 UTC

 

License Authorization:

  Status: AUTHORIZED on Mar 25 2022 06:06:51 UTC

  Last Communication Attempt: PENDING on Mar 25 2022 06:06:51 UTC

    Failure reason: Waiting for reply

  Next Communication Attempt: Mar 26 2022 05:10:04 UTC

  Communication Deadline: May 04 2022 06:53:46 UTC

 

Export Authorization Key:

  Features Authorized:

    <none>

 

Miscellaneus:

  Custom Id: <empty>

 

-----

 

RP/0/RP0/CPU0:NCS540#ping vrf Mgmt-intf tools.cisco.com

Fri Mar 25 06:04:44.403 UTC

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 72.163.4.38, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 102/102/103 ms

 

RP/0/RP0/CPU0:NCS540#telnet vrf Mgmt-intf tools.cisco.com 80 source-interface MgmtEth0/RP0/CPU0/0

Trying tools.cisco.com(2001:420:1101:5::a)...

 Use specified source interface(MgmtEth0_RP0_CPU0_0).

Global address not present, using link local address as source address

Not able to get link local addressCan't use MgmtEth0_RP0_CPU0_0 as source interface for IPv6.

Trying tools.cisco.com(173.37.145.8)...

 Use specified source interface(MgmtEth0_RP0_CPU0_0).

 Use 10.10.4.1 as local address.

Connected to tools.cisco.com.

 

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎03-25-2022 06:58 AM

Logs are genreated before time, but Register time show after that time, so i am thinking the device is registered ? or still issue.

 

 

how does your call home config look like :

 

source-interface XXXXXXX (if you using VRF interface ?)

 

also try :

 

(config)# crypto ca trustpool policy  
(config-trustpool)#crl optional

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

johnlloyd_13
Level 9
Level 9
In response to balaji.bandi

‎03-25-2022 06:29 PM

hi balaji,

the device is REGISTERED per my initial post.

the call home config has the 'source-interface' and i can ping and telnet to SCH again per my initial post.

 

RP/0/RP0/CPU0:NCS540#sh run | b crypto ca

Fri Mar 25 07:01:41.650 UTC

Building configuration...

crypto ca trustpoint Trustpool

crl optional

!

 

RP/0/RP0/CPU0:NCS540#sh run call-home

Fri Mar 25 05:56:11.052 UTC

call-home

 vrf Mgmt-intf

 service active

 contact smart-licensing

 source-interface MgmtEth0/RP0/CPU0/0

 profile CiscoTAC-1

  active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination transport-method http

 !

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-25-2022 10:17 AM

You might be affected by this field notice:

https://www.cisco.com/c/en/us/support/docs/field-notices/723/fn72323.html

You can add the new certificate as noted in the FN in order to resolve that potential issue.

johnlloyd_13
Level 9
Level 9
In response to Marvin Rhoads

‎03-25-2022 06:33 PM

hi marvin,

thanks for this info! it's like the same bug i found on the expired cert:

https://bst.cisco.com/quickview/bug/CSCvx00476

will try to apply the work around. i'm just waiting and confirm TAC's response.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card