Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1589
Views
0
Helpful
3
Replies

'cepki' respawning and cannot create new certificate after a turboboot install to 5.3.4

andrew.lemin@gmail.com
Level 1
Level 1

‎03-13-2018 09:00 AM - edited ‎03-01-2019 03:22 PM

Hi,

We performed a turboboot install of 5.3.4 onto an RSP2 line card installed in an ASR9006 without any problems.

 

However we now repeatedly get the error on the CLI;
RP/0/RSP0/CPU0:Mar 13 15:56:51.158 GMT: cepki[162]: %SECURITY-CEPKI-6-ERR : cepki_restore_keychain failed
RP/0/RSP0/CPU0:Mar 13 15:56:51.228 GMT: sysmgr[97]: %OS-SYSMGR-3-ERROR : cepki(1) (jid 162) exited, will be respawned with a delay (slow-restart)   
RP/0/RSP0/CPU0:Mar 13 15:56:51.228 GMT: sysmgr[97]: %OS-SYSMGR-3-ERROR : cepki(162) (fail count 30) will be respawned in 120 seconds 

 

We understand this to be related to a lack of certificate and time related, so we have fixed an NTP server and is synchronized, however we still cannot create a new certificate (hostname and domain is set);

RP/0/RSP0/CPU0:BYF-LAB-BBR-1#crypto key generate rsa
Tue Mar 13 15:58:33.751 GMT
The name for the keys will be: the_default
  Choose the size of the key modulus in the range of 512 to 4096 for your General Purpose Keypair. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [1024]:
Generating RSA keys ...
Error connecting to server channel.
crypto_set_key_req: Error sending request to server.
Cannot execute the command : Not a directory

1 person had this problem
Labels:
0 Helpful
3 Replies 3

andrew.lemin@gmail.com
Level 1
Level 1

‎03-13-2018 09:47 AM

Alternatively, does anyone know how to export a set of keys from a working ASR9006 router, which we could maybe import into this turboboot'ed one (which cannot generate its own keys)?

0 Helpful

nkarpysh
Cisco Employee
Cisco Employee

‎03-13-2018 11:57 AM

Can be several problems here, thus openeing TAC case can be faste rapproach:

 

- Time may still not be in sync

- Cepki process can be blocked on some other:

"show process block loc all" -- look for cepki process and see if it stuck in Mutex/Reply for long time - you may need to restart it or process it is blocked on

 

- Can be NVRAm corruption - you may erase NVRAM to clear old keys.

 

 

Niko

HTH,
Niko
0 Helpful

andrew.lemin@gmail.com
Level 1
Level 1
In response to nkarpysh

‎03-13-2018 12:38 PM

Hi,

Thank you so much for your reply :)

We know that cepki is crashing because of the lack of local rsa certificates.

And we cannot create the rsa certificate as per the error. ‘debug crypto all’ shows nothing useful :(

I’m pretty certain the time is synchronised as it says so with ‘show ntp status’?

Resetting the nvram is a great idea though! :) thank you. We will share the results
0 Helpful
Top