cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2532
Views
0
Helpful
1
Replies

NETCONF/SSH: error: Trustpoint does not have a cert

HI 

 

I have enabled NETCONF on a lab CSR1000V and I am getting message on terminal as below

 

NETCONF/SSH: error: Trustpoint does not have a cert

 

Also I am unable to connect to it via yang explorer from my Ubuntu machine.

 

 

My running config is as below:

R1#sh running-config
Building configuration...

Current configuration : 1482 bytes
!
! Last configuration change at 20:14:45 UTC Fri Jul 3 2020 by k
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
ip domain name kj.com
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9OG0Q0W7LHE
license boot level ax
diagnostic bootup level minimal
spanning-tree extend system-id
!
netconf-yang
!
!
username k privilege 15 password 0 kk
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet1
ip address 192.168.1.100 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0 4
login local
transport input ssh
!
netconf ssh
!
!
!
!
!
end

 

1 Reply 1

darrenolive
Level 1
Level 1

This issue appears to be a result of self-signed certificates on IOS/IOS-XE platforms expiring on Jan 1st 2020.

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215118-ios-self-signed-certificate-expiration-o.html

 

The resolution is to upgrade to a newer version of IOS where this issue has been fixed, however I was only testing and able to workaround by changing the time/date to pre Jan 1st 2020.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: