Solved: UCS Express E140D CIMC KVM certificate revoked

michgri · ‎08-29-2013

So I've got a bunch of 2951s with E140D blades in them. I need to install ESXi on them but the stinking KVM (accessed through the CIMC) for every one of them comes up with a certificate revoked error.

I just did this for a bunch of C240 M3s without any problem.

The CIMC firmware version is:

2.1(1.20130726203500)

This appears to be the latest--I just uploaded the latest version and the number matches the existing version.

I haven't opened a TAC case yet; I'm having phone issues and the online form doesn't like my serial numbers. However, I am going to miss a deadline because of this.

Here's the java traceback:

java.security.cert.CertificateRevokedException: Certificate has been revoked, reason: AFFILIATION_CHANGED, revocation date: Thu May 05 14:15:10 EDT 2011, authority: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US, extensions: {}

at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)

at com.sun.deploy.security.RevocationChecker.check(Unknown Source)

at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)

at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)

at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)

at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)

at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)

at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)

at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)

at com.sun.javaws.Launcher.prepareResources(Unknown Source)

at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)

at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)

at com.sun.javaws.Launcher.launch(Unknown Source)

at com.sun.javaws.Main.launchApp(Unknown Source)

at com.sun.javaws.Main.continueInSecureThread(Unknown Source)

at com.sun.javaws.Main.access$000(Unknown Source)

at com.sun.javaws.Main$1.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

I didn't see anything that looked relevant in the logs.

Bruce Heimlich · ‎08-29-2013

Hi Michael,

It appears that you are hitting a bug for the E-Series: CSCtx85249.

Will you please follow the workaround for

CSCtx85249 Could not launch KVM Java exception Certification has been

revoked

Symptom KVM console fails to launch and displays the following Java

exception error:

Certificate has been revoked

sun.security.validator.ValidatorException: PKIX path validation failed:

java.security.cert.CertPathValidatorException: Certificate has been revoked

Workaround On the client system, disable the Java configuration

parameters from Java control panel do the following:

Step 1 Go to Advanced > Security > General

Step 2 Check certificates for revocation using CRL

Step 3 Enable online certificate validation

If you are using Mac, in addition to changing the Java preferences, you need

to change both CRL and OCSP checking to off

underKeychain>Preferences>Certificates in OSX.

In some scenarios, you would need to do the following if you are a Mac user:

Step 1 Go to Keychain > Certificates. Double-click the associated cisco.com

certificate.

Step 2 Click the Trust right-arrow and select Always Trust from the When

using this certificate dialog box.

Step 3 Restart the browser and connect to the CIMC web

interface.

Please, let me know if this resolves the problem.

Thanks,

-Bruce

View solution in original post

Bruce Heimlich · ‎08-29-2013

Hi Michael,

It appears that you are hitting a bug for the E-Series: CSCtx85249.

Will you please follow the workaround for

CSCtx85249 Could not launch KVM Java exception Certification has been

revoked

Symptom KVM console fails to launch and displays the following Java

exception error:

Certificate has been revoked

sun.security.validator.ValidatorException: PKIX path validation failed:

java.security.cert.CertPathValidatorException: Certificate has been revoked

Workaround On the client system, disable the Java configuration

parameters from Java control panel do the following:

Step 1 Go to Advanced > Security > General

Step 2 Check certificates for revocation using CRL

Step 3 Enable online certificate validation

If you are using Mac, in addition to changing the Java preferences, you need

to change both CRL and OCSP checking to off

underKeychain>Preferences>Certificates in OSX.

In some scenarios, you would need to do the following if you are a Mac user:

Step 1 Go to Keychain > Certificates. Double-click the associated cisco.com

certificate.

Step 2 Click the Trust right-arrow and select Always Trust from the When

using this certificate dialog box.

Step 3 Restart the browser and connect to the CIMC web

interface.

Please, let me know if this resolves the problem.

Thanks,

-Bruce

michgri · ‎08-30-2013

Thanks Bruce! That did the trick.

Bruce Heimlich · ‎08-30-2013

Hi Michael,

Great! I am glad that we were able to resolve this for you.

Thanks.

-Bruce