01-23-2004 03:32 PM - edited 03-09-2019 06:13 AM
I get the following error when trying to update the sensor (from IDSMC 1.2.3).
An error occurred while running the update script on the sensor named sensor. Detail = CLI Error: "The host is not trusted. Add the host to the system's trusted TLS certificates."
This is on a newly imaged 4210 sensor built with the 4.1.1(S47) build disk.
I've tried to regenerate the Certificate but am either not doing it correctly or somthing is going awry.
I've also tried to remove the sensor from the MC and generate new keys and then re-add it but I get the same result.
01-23-2004 03:50 PM
With the changing of certificates on the IDS MC you may have confused the sensor. It may be comparing an older certificate.
Go to the sensor CLI and enter the configure terminal mode (conf t).
Then type:
tls trusted-host ip-address
using the
For more information on the command:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/cmdref/15599ch2.htm#380564
This will download the latest ceritifate for IDS MC and you can have the sensor accept the certificate.
Then try the upgrade again and see if it works.
01-26-2004 10:13 AM
Just to let you know,
I just saw a new DDTS Issue with similar symptoms:
CSCed45100
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCed45100&Submit=Search
You may want to check and see if this could be the same problem you are seeing.
01-26-2004 10:47 AM
Nope. I got the exact same issue. About an hour later I even deleted the device from the MC and readded it with the same results.
On an added note: When I go to the IDS MC from the CW2K I get an error that states that the security certificate is invalid or has expired and that the name on the security certificate does not match the site.
So it looks like the certificate has expired (when I go to the certificate details).
01-26-2004 11:10 AM
In reading through the documentation it looks the certificate is only good for 1 year.
If you have been running IDS MC for nlonger than a year that would explain the expiration.
Another possibility is that the time on your IDS MC server may be off by a year or more.
Check the date on your IDS MC server to ensure that it is configured for today's date, and not some year in the past or in the future.
Then create a new certificate and try again.
Here is the doc that I could find on CCO that talks about certificates (not sure if it is the right one or not):
01-26-2004 11:52 AM
Yup. We've been running it longer than a year. The Date and Time are correct on the system.
And that URL details the Certificate for the CW2K certificate, and not the certificate for the IDS MC (I only get that warning box when I launch the IDS MC) which uses the Shared Services certificate as shown in the
VPN/Security Manager - Administration - Configuration - Certificate
Any ideas on this one?
01-26-2004 01:32 PM
You've gone past my area of expertise.
Maybe someone else on this forum can provide some help?
If you don't get any other responses, then I would suggest opening a TAC case if you haven't already done so.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: