09-10-2021 11:18 AM
Running IOS XR 6.4.2, received this cryptic message in my logs today from both RSP's:
RP/0/RSP0/CPU0:Sep 10 14:01:16.082 EDT: cepki[162]: %SECURITY-PKI-6-ERR_1_PARAM : CA certificate to be expired in 480 days RP/0/RSP1/CPU0:Sep 10 14:11:34.982 EDT: cepki[162]: %SECURITY-PKI-6-ERR_1_PARAM : CA certificate to be expired in 480 days
Is this something to be concerned about? I couldn't find any information online regarding this error and we don't have any crypto settings in our IOS-XR configs.
Solved! Go to Solution.
09-15-2021 09:49 AM
09-11-2021 07:57 PM
Hi,
Could you please share output of below CLI once, I will have a quick look.
show crypto ca trustpool detail
@wj343 wrote:
Running IOS XR 6.4.2, received this cryptic message in my logs today from both RSP's:
RP/0/RSP0/CPU0:Sep 10 14:01:16.082 EDT: cepki[162]: %SECURITY-PKI-6-ERR_1_PARAM : CA certificate to be expired in 480 days RP/0/RSP1/CPU0:Sep 10 14:11:34.982 EDT: cepki[162]: %SECURITY-PKI-6-ERR_1_PARAM : CA certificate to be expired in 480 days
Is this something to be concerned about? I couldn't find any information online regarding this error and we don't have any crypto settings in our IOS-XR configs.
09-11-2021 08:02 PM
#show crypto ca trustpool detail Sat Sep 11 22:58:32.248 EDT Trustpool: Built-In ================================================== CA certificate Certificate: Data: Version: 3 (0x2) Serial Number: 5f:f8:7b:28:2b:54:dc:8d:42:a3:15:b5:68:c9:ad:ff Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Cisco Root CA 2048,O=Cisco Systems Validity Not Before: May 14 20:17:12 2004 GMT Not After : May 14 20:25:42 2029 GMT Subject: CN=Cisco Root CA 2048,O=Cisco Systems Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b0:9a:b9:ab:a7:af:0a:77:a7:e2:71:b6:b4:66: 62:94:78:88:47:c6:62:55:84:40:32:bf:c0:ab:2e: a5:1c:71:d6:bc:6e:7b:a8:aa:ba:6e:d2:15:88:48: 45:9d:a2:fc:83:d0:cc:b9:8c:e0:26:68:70:4a:78: df:21:17:9e:f4:61:05:c9:15:c8:cf:16:da:35:61: 89:94:43:a8:84:a8:31:98:78:9b:b9:4e:6f:2c:53: 12:6c:cd:1d:ad:2b:24:bb:31:c4:2b:ff:83:44:6f: b6:3d:24:77:09:ea:bf:2a:a8:1f:6a:56:f6:20:0f: 11:54:97:81:75:a7:25:ce:59:6a:82:65:ef:b7:ea: e7:e2:8d:75:8b:6e:f2:dd:4f:a6:5e:62:9c:cf:10: 0a:64:d0:4e:6d:ce:2b:cc:5b:f5:60:a5:27:47:8d: 69:f4:7f:ce:1b:70:de:70:1b:20:d6:6e:cd:a6:01: a8:3c:12:d2:a9:3f:a0:6b:5e:bb:8e:20:8b:7a:91: e3:b5:68:ee:a0:e7:c4:01:74:a8:53:0b:2b:4a:9a: 0f:65:12:0e:82:4d:8e:63:fd:ef:eb:9b:1a:db:53: a6:13:60:af:c2:7d:d7:c7:6c:17:25:d4:73:fb:47: 64:50:81:80:94:4c:e1:bf:ae:4b:1c:df:92:ed:2e: 05:df Exponent: 3 (0x3) X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 27:F3:C8:15:1E:6E:9A:02:09:16:AD:2B:A0:89:60:5F:DA:7B:2F:AA 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha1WithRSAEncryption 9d:9d:84:84:a3:41:a9:7c:77:0c:b7:53:ca:4e:44:50:62:ef: 54:7c:d3:75:17:1c:e8:e0:c6:48:4b:b6:fe:4c:3a:19:81:56: b0:56:ee:19:96:62:aa:5a:a3:64:c1:f6:4e:54:33:c6:77:fe: c5:1c:ba:e5:5d:25:ca:f5:f0:93:9a:83:11:2e:e6:cb:f8:74: 45:fe:e7:05:b8:ab:e7:df:cb:4b:e1:37:84:da:b9:8b:97:70: 1e:f0:e2:8b:d7:b0:d8:0e:9d:b1:69:d6:2a:91:7b:a9:49:4f: 7e:e6:8e:95:d8:83:27:3c:d5:68:49:0e:d4:9d:f6:2e:eb:a7: be:eb:30:a4:ac:1f:44:fc:95:ab:33:06:fb:7d:60:0a:de:b4: 8a:63:b0:9c:a9:f2:a4:b9:53:01:87:d0:68:a4:27:7f:ab:ff: e9:fa:c9:40:38:88:67:b4:39:c6:84:6f:57:c9:53:db:ba:8e: ee:c0:43:b2:f8:09:83:6e:ff:66:cf:3e:ef:17:b3:58:18:25: 09:34:5e:e3:cb:d6:14:b6:ec:f2:92:6f:74:e4:2f:81:2a:d5: 92:91:e0:e0:97:3c:32:68:05:85:4b:d1:f7:57:e2:52:1d:93: 1a:54:9f:05:70:c0:4a:71:60:1e:43:0b:60:1e:fe:a3:ce:81: 19:e1:0b:35 SHA1 Fingerprint: DE990CED99E0431F60EDC3937E7CD5BF0ED9E5FA Trustpool: Built-In ================================================== CA certificate Certificate: Data: Version: 3 (0x2) Serial Number: 2e:d2:0e:73:47:d3:33:83:4b:4f:dd:0d:d7:b6:96:7e Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Cisco Root CA M1,O=Cisco Validity Not Before: Nov 18 21:50:24 2008 GMT Not After : Nov 18 21:59:46 2033 GMT Subject: CN=Cisco Root CA M1,O=Cisco Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:9a:41:dc:19:dd:49:6a:90:5b:0f:91:d4:68:fd: 6e:58:94:5e:72:33:75:b0:a8:ba:47:e6:aa:2d:ff: ca:b2:ed:26:b3:23:0f:7f:ab:28:9a:73:48:e8:b0: 32:45:48:84:d3:a3:e6:7e:ad:10:85:91:cf:bf:ca: d5:8c:a2:73:09:b6:13:11:6e:85:c1:8a:73:d9:77: e3:5b:6c:c3:a1:a1:b2:39:c5:f5:14:17:de:77:c2: 23:ad:df:9d:1b:07:06:b7:1e:f1:ee:4a:fd:7c:b3: 50:50:17:ec:0e:6a:fe:43:bb:31:e6:d5:97:d4:8a: 97:57:09:f3:87:5b:71:fd:84:4d:2a:d6:99:69:7d: 03:77:2e:2a:1c:f8:5b:e4:55:f5:af:86:0c:7c:00: ee:e0:88:30:dd:18:d2:f0:a0:90:d8:5c:00:63:df: cf:b2:b3:db:c9:09:e1:2a:c8:7c:3d:bc:35:7b:09: e9:70:9e:84:a7:50:55:60:84:32:09:63:95:76:35: 4b:6d:6e:12:8e:97:6c:d2:e8:20:c6:ce:14:53:f5: 50:8c:69:a0:ad:a8:35:3c:82:85:5a:87:16:a0:81: 93:cd:a4:c7:92:23:70:2f:45:58:88:3d:e2:06:0b: 81:53:90:01:86:c3:e4:95:4a:e3:eb:19:34:1d:ab: bc:0f Exponent: 3 (0x3) X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: A6:03:1D:7F:CA:BD:B2:91:40:C6:CB:82:36:1F:6B:98:8F:DD:BC:29 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha1WithRSAEncryption 7e:6d:7e:61:1e:da:01:9e:9f:38:61:bd:e7:5f:82:e9:5c:7f: bc:e1:1d:6c:50:a0:77:5b:e8:a7:58:3d:31:77:9f:5f:9b:3c: 0c:b3:24:ac:c7:3c:eb:c0:c6:e1:9e:f6:d2:ec:2d:7b:1f:d6: 93:d9:4f:5d:51:d3:d4:4f:9e:a9:83:e7:97:f6:ce:17:11:a1: 8b:d4:57:9d:94:79:3a:1b:71:4b:f5:db:e6:c0:a1:ee:5b:7b: 93:99:94:e2:ce:33:cf:cb:78:44:96:95:10:55:c3:46:7a:c8: b5:b8:8d:34:d6:d3:c2:55:50:54:a3:bb:65:c9:f8:50:93:ac: ed:ba:4d:f0:ba:81:ef:1f:f8:03:3d:56:71:29:b5:84:48:70: f1:08:29:19:c4:39:cb:41:d1:e9:27:45:b5:e1:25:6b:4f:fe: cd:98:57:1d:f3:0f:d1:ca:a4:d1:23:1b:94:cb:65:10:34:47: 9a:8a:81:05:43:98:3e:6d:98:77:a0:8d:d5:ed:8d:5d:fc:8d: c7:2d:05:68:05:69:2f:6f:29:20:81:94:bb:ab:86:09:ca:de: 6f:38:0a:ab:23:49:05:82:a3:eb:cc:8e:9d:46:a5:4b:e6:60: 0f:d6:00:30:5e:b3:8e:be:d7:44:ac:32:c7:e8:41:e7:46:ee: 35:bd:d4:76 SHA1 Fingerprint: 45AD6BB499011BB4E84E84316A81C27D89EE5CE7 Trustpool: Built-In ================================================== CA certificate Certificate: Data: Version: 3 (0x2) Serial Number: 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b Signature Algorithm: sha1WithRSAEncryption Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Validity Not Before: Sep 30 21:12:19 2000 GMT Not After : Sep 30 14:01:15 2021 GMT Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90: 82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40: c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93: ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2: 2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89: a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14: 30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80: 65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec: 52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09: 8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd: 70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6: 30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c: 92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72: d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97: eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15: 02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83: 69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0: 02:5d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 Signature Algorithm: sha1WithRSAEncryption a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f: 4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b: a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3: 20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd: b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94: 3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9: dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce: e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf: 0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52: 67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31: 85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64: 63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65: b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77: 96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d: 82:35:35:10 SHA1 Fingerprint: DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Trustpool: Built-In ================================================== CA certificate Certificate: Data: Version: 1 (0x0) Serial Number: 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be Signature Algorithm: sha1WithRSAEncryption Issuer: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Validity Not Before: Jan 29 00:00:00 1996 GMT Not After : Aug 2 23:59:59 2028 GMT Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c9:5c:59:9e:f2:1b:8a:01:14:b4:10:df:04:40: db:e3:57:af:6a:45:40:8f:84:0c:0b:d1:33:d9:d9: 11:cf:ee:02:58:1f:25:f7:2a:a8:44:05:aa:ec:03: 1f:78:7f:9e:93:b9:9a:00:aa:23:7d:d6:ac:85:a2: 63:45:c7:72:27:cc:f4:4c:c6:75:71:d2:39:ef:4f: 42:f0:75:df:0a:90:c6:8e:20:6f:98:0f:f8:ac:23: 5f:70:29:36:a4:c9:86:e7:b1:9a:20:cb:53:a5:85: e7:3d:be:7d:9a:fe:24:45:33:dc:76:15:ed:0f:a2: 71:64:4c:65:2e:81:68:45:a7 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 10:72:52:a9:05:14:19:32:08:41:f0:c5:6b:0a:cc:7e:0f:21: 19:cd:e4:67:dc:5f:a9:1b:e6:ca:e8:73:9d:22:d8:98:6e:73: 03:61:91:c5:7c:b0:45:40:6e:44:9d:8d:b0:b1:96:74:61:2d: 0d:a9:45:d2:a4:92:2a:d6:9a:75:97:6e:3f:53:fd:45:99:60: 1d:a8:2b:4c:f9:5e:a7:09:d8:75:30:d7:d2:65:60:3d:67:d6: 48:55:75:69:3f:91:f5:48:0b:47:69:22:69:82:96:be:c9:c8: 38:86:4a:7a:2c:73:19:48:69:4e:6b:7c:65:bf:0f:fc:70:ce: 88:90 SHA1 Fingerprint: A1DB6393916F17E4185509400415C70240B0AE6B
09-13-2021 06:20 AM
Hi wj343,
Trustpool: Built-In ================================================== CA certificate Certificate: Data: Version: 3 (0x2) Serial Number: 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b Signature Algorithm: sha1WithRSAEncryption Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Validity Not Before: Sep 30 21:12:19 2000 GMT Not After : Sep 30 14:01:15 2021 GMT <<<
I believe this is what's happening,
As this is getting expired in 20 days, it is actually multiplying this with 24 hours. So, that becomes, 24 * 20 = 480 . Instead of hours, it is displaying days. I would advise raise a TAC case. TAC engineer will help with further analysis.
09-13-2021 11:34 AM
This is fixed via CSCvs73344. It is fixed in 7.3.2 and later.
<B>Symptom:</B>
DST Root CA in trustpool is expired on 30 Sep 2021
<B>Conditions:</B>
<B>Workaround:</B>
Config
Crypto ca trustpoint <trustpoint name>
Enrollment terminal
Domain name <domain_name>
commit
exit
Then do crypto ca authenticate <trustpoint name> -> then paste new certificate
<B>Further Problem Description:</B>
It looks like this fixes removes the certificate.
More info on the change in certificate is here: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
It does not affect traffic but may cause e.g. SSH problems. Also there is a potential cepki process respawn problem which is fixed with following DDTS:
CSCvo69790
Sam
09-13-2021 01:16 PM
Hi Sam,
Can you please advise how to remove the problematic CA from my current version of IOS-XR (6.4.2)? I am still running RSP440's, so it's not possible to perform a system upgrade to 7.3.2.
I am not sure how the listed workaround will help remove the certificate to prevent cepki from respawning, since it doesn't seem to replace the expiring certificate, only add a new CA (which I shouldn't need anyways).
09-14-2021 09:41 AM
09-15-2021 09:49 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide