Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with replacing AVS 3120 cert with Verisign

I'm having some issues related to replacing the server.crt on the AVS 3120 with a cert from Verisign. I am running version 6.0. I have the cert in a PFX format. I know this cert is good because I have installed it on another machine with no problems. I used the openSSL pkcs12 utility to decrypt the PFX into a private key file and a cert.

openssl pkcs12 -in truck.pfx -nocerts -out truckkey.pem

openssl pkcs12 -in truck.pfx -clcerts -nokeys -out truckcert.pem

Both files are readable. I copied and renamed these files to server.key and server.crt in the /usr/avs/perfnode/node_manager/conf/ssl.crt/ directory and bounced the service ./fgnnmctl. (I even rebooted.) Once I rebooted, I could no longer manage the 3120 from the 3180 management console. Just for sanity, I swapped out the Verisign cert and put the original cert back in. Everything works. So it is related to the cert. The docs say you do not have to import a cert into the 3180 management console if it comes from Verisign. I tried that anyway - and the 3180 complains that it is not X.509 compliant. Here is an error_log from the 3120 in /usr/avs/perfnode/node_manager/logs which I am sure is the root of the problem:

Feb 28 15:13:57 AVS-3120-DC-1 nmgr[775]: [error] mod_ssl: Init: (localhost:9090)

Unable to configure RSA server private key (OpenSSL library error follows)

Feb 28 15:13:57 AVS-3120-DC-1 nmgr[775]: [error] OpenSSL: error:0B080074:x509 ce

rtificate routines:X509_check_private_key:key values mismatch

I get this error just starting the service ./fgnnmctl start

Has anyone seen this or can advise? Thanks.

Note: I just found that the key file should be stored in the /usr/avs/perfnode/node_manager/conf/ssl.key/ directory.

Once I moved it there, "./fgnnmctl start" worked, but it prompted me for the passphrase. Now when I reboot, the Starting fgnpn: service is waiting....probably for the passphrase to be responded to - which I can't do.

Any ideas?

263
Views
0
Helpful
0
Replies
CreatePlease login to create content