cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
537
Views
0
Helpful
6
Replies

certificate error

rrussell
Level 1
Level 1

I get the following error when trying to update the sensor (from IDSMC 1.2.3).

An error occurred while running the update script on the sensor named sensor. Detail = CLI Error: "The host is not trusted. Add the host to the system's trusted TLS certificates."

This is on a newly imaged 4210 sensor built with the 4.1.1(S47) build disk.

I've tried to regenerate the Certificate but am either not doing it correctly or somthing is going awry.

I've also tried to remove the sensor from the MC and generate new keys and then re-add it but I get the same result.

6 Replies 6

marcabal
Cisco Employee
Cisco Employee

With the changing of certificates on the IDS MC you may have confused the sensor. It may be comparing an older certificate.

Go to the sensor CLI and enter the configure terminal mode (conf t).

Then type:

tls trusted-host ip-address [ port ]

using the and for your IDS MC box

For more information on the command:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/15599ch2.htm#380564

This will download the latest ceritifate for IDS MC and you can have the sensor accept the certificate.

Then try the upgrade again and see if it works.

Just to let you know,

I just saw a new DDTS Issue with similar symptoms:

CSCed45100

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCed45100&Submit=Search

You may want to check and see if this could be the same problem you are seeing.

Nope. I got the exact same issue. About an hour later I even deleted the device from the MC and readded it with the same results.

On an added note: When I go to the IDS MC from the CW2K I get an error that states that the security certificate is invalid or has expired and that the name on the security certificate does not match the site.

So it looks like the certificate has expired (when I go to the certificate details).

In reading through the documentation it looks the certificate is only good for 1 year.

If you have been running IDS MC for nlonger than a year that would explain the expiration.

Another possibility is that the time on your IDS MC server may be off by a year or more.

Check the date on your IDS MC server to ensure that it is configured for today's date, and not some year in the past or in the future.

Then create a new certificate and try again.

Here is the doc that I could find on CCO that talks about certificates (not sure if it is the right one or not):

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/usrguide/cmsrvall/admin.htm#1025217

Yup. We've been running it longer than a year. The Date and Time are correct on the system.

And that URL details the Certificate for the CW2K certificate, and not the certificate for the IDS MC (I only get that warning box when I launch the IDS MC) which uses the Shared Services certificate as shown in the

VPN/Security Manager - Administration - Configuration - Certificate

Any ideas on this one?

You've gone past my area of expertise.

Maybe someone else on this forum can provide some help?

If you don't get any other responses, then I would suggest opening a TAC case if you haven't already done so.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: