Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2602
Views
0
Helpful
1
Replies

NETCONF/SSH: error: Trustpoint does not have a cert

krishna.joshi@lowes.com
Level 1
Level 1

‎07-03-2020 08:04 AM

HI 

 

I have enabled NETCONF on a lab CSR1000V and I am getting message on terminal as below

 

NETCONF/SSH: error: Trustpoint does not have a cert

 

Also I am unable to connect to it via yang explorer from my Ubuntu machine.

 

 

My running config is as below:

R1#sh running-config
Building configuration...

Current configuration : 1482 bytes
!
! Last configuration change at 20:14:45 UTC Fri Jul 3 2020 by k
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
ip domain name kj.com
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9OG0Q0W7LHE
license boot level ax
diagnostic bootup level minimal
spanning-tree extend system-id
!
netconf-yang
!
!
username k privilege 15 password 0 kk
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet1
ip address 192.168.1.100 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0 4
login local
transport input ssh
!
netconf ssh
!
!
!
!
!
end

 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

darrenolive
Level 1
Level 1

‎07-17-2020 01:42 AM

This issue appears to be a result of self-signed certificates on IOS/IOS-XE platforms expiring on Jan 1st 2020.

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215118-ios-self-signed-certificate-expiration-o.html

 

The resolution is to upgrade to a newer version of IOS where this issue has been fixed, however I was only testing and able to workaround by changing the time/date to pre Jan 1st 2020.

0 Helpful
Customers Also Viewed These Support Documents