Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1282
Views
2
Helpful
4
Replies

UCSM: keyring configuration: Failed to copy certstore (rsync failed)

r.heitmann
Level 1
Level 1

‎07-10-2023 10:07 PM

just noticed a

  • critical error

in a clients UCS-Manager.

"[FSM:FAILED]: keyring configuration(FSM:sam:dme:PkiEpUpdateEp). Remote-Invocation-Error: Failed to copy certstore (rsync failed)"

unlucky - it is not documented in https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ts/faults/reference/ErrMess/UCS_FSMs.html 

So I'll try to manually regenerate the default-keyring (which should not be in use) and if this doesn't helps...

Since there are no hits at all in Bug-Toolkit and Google - I won't mess around and open an SR at Cisco-TAC.

... but any additional ideas highly appreciated!

Labels:
0 Helpful
4 Replies 4

r.heitmann
Level 1
Level 1

‎07-10-2023 11:16 PM

update

(a) it is the default-keyring which is affected

(b) regenerating the key-ring with different modulus was successful

Cisco UCS Health-Check-Tool suggested this, too (https://github.com/CiscoDevNet/ucsm_health_check )...

To regenerate the certificate, please SSH to the UCS Manager CLI
(primary / VIP) and run the following commands:
UCS-Primary # scope security
UCS-Primary /security # scope keyring default
UCS-Primary /security/keyring # set regenerate yes
UCS-Primary /security/keyring # set modulus mod2048
UCS-Primary /security/keyring* # commit-buffer
Once you enter the 'commit-buffer' , UCSM GUI will be
disconnected for a while.
Login after few mins to verify the Cert status.

...but it didn't fix the issue

 

 

0 Helpful

marce1000
VIP
VIP

‎07-10-2023 11:32 PM

 

                - FYIhttps://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc78620

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

r.heitmann
Level 1
Level 1
In response to marce1000

‎07-10-2023 11:46 PM

weird, my attempt to use the bug-toolkit didn't brought any hits, the bug you found is obviously excaclty matching. Thank you!

So - I don't have to change my plan and go ahead to Cisco TAC.

r.heitmann
Level 1
Level 1
In response to marce1000

‎07-28-2023 02:45 AM

Cisco TAC (it was excactly the Bug you mentioned) fixed it.

Since the "CID/Cisco Interactive Debug Shell" is required - only Cisco TAC can do this.

So, just if you are curious how it got fixed:

chmod 644

to 

/opt/certstore/privKey.pem

This happens only to UCSM 4.2(2a) - which was the suggested release some time ago, but might have been upgraded at most installations...

But anyway: Cisco TAC can help

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card