cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1110
Views
0
Helpful
3
Replies

'cepki' respawning and cannot create new certificate after a turboboot install to 5.3.4

Hi,

We performed a turboboot install of 5.3.4 onto an RSP2 line card installed in an ASR9006 without any problems.

 

However we now repeatedly get the error on the CLI;
RP/0/RSP0/CPU0:Mar 13 15:56:51.158 GMT: cepki[162]: %SECURITY-CEPKI-6-ERR : cepki_restore_keychain failed
RP/0/RSP0/CPU0:Mar 13 15:56:51.228 GMT: sysmgr[97]: %OS-SYSMGR-3-ERROR : cepki(1) (jid 162) exited, will be respawned with a delay (slow-restart)   
RP/0/RSP0/CPU0:Mar 13 15:56:51.228 GMT: sysmgr[97]: %OS-SYSMGR-3-ERROR : cepki(162) (fail count 30) will be respawned in 120 seconds 

 

We understand this to be related to a lack of certificate and time related, so we have fixed an NTP server and is synchronized, however we still cannot create a new certificate (hostname and domain is set);

RP/0/RSP0/CPU0:BYF-LAB-BBR-1#crypto key generate rsa
Tue Mar 13 15:58:33.751 GMT
The name for the keys will be: the_default
  Choose the size of the key modulus in the range of 512 to 4096 for your General Purpose Keypair. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [1024]:
Generating RSA keys ...
Error connecting to server channel.
crypto_set_key_req: Error sending request to server.
Cannot execute the command : Not a directory

3 Replies 3

Alternatively, does anyone know how to export a set of keys from a working ASR9006 router, which we could maybe import into this turboboot'ed one (which cannot generate its own keys)?

nkarpysh
Cisco Employee
Cisco Employee

Can be several problems here, thus openeing TAC case can be faste rapproach:

 

- Time may still not be in sync

- Cepki process can be blocked on some other:

"show process block loc all" -- look for cepki process and see if it stuck in Mutex/Reply for long time - you may need to restart it or process it is blocked on

 

- Can be NVRAm corruption - you may erase NVRAM to clear old keys.

 

 

Niko

HTH,
Niko

Hi,

Thank you so much for your reply :)

We know that cepki is crashing because of the lack of local rsa certificates.

And we cannot create the rsa certificate as per the error. ‘debug crypto all’ shows nothing useful :(

I’m pretty certain the time is synchronised as it says so with ‘show ntp status’?

Resetting the nvram is a great idea though! :) thank you. We will share the results
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: