Connectrix: B-Series: Expired HTTPS Certificates Causing Switch Status Marginal
Summary: Expired HTTPS certificates trigger MAPS alerts for switch status and sets status to Marginal.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
From MAPS outputs:
mapsdb --show 2 Switch Health Report: ======================= Current Switch Policy Status: MARGINAL Contributing Factors: --------------------- *EXPIRED_CERTS (MARGINAL). SwitchA:admin> seccertmgmt show -all ssh private key: Does not Exist ssh public keys available for users: None Certificate Files: -------------------------------------------------------------------------------------------------------------------- Protocol Client CA Server CA SW CSR PVT Key Passphrase -------------------------------------------------------------------------------------------------------------------- FCAP Empty NA Empty Empty Empty Empty RADIUS Empty Empty Empty Empty Empty NA LDAP Empty Empty Empty Empty Empty NA SYSLOG Empty Empty Empty Empty Empty NA HTTPS NA Empty Exist Empty Exist NA KAFKA NA Empty NA NA NA NA ASC NA Empty NA NA NA NA
Cause
This issue caused due to the HTTPS certificate expiring and must be renewed.
SwitchA:FID128:admin> seccertmgmt show -cert https Issued To countryName = US stateOrProvinceName = California localityName = San Jose organizationName = Brocade organizationalUnitName = Eng commonName = xx.xx.xx.xx Issued By countryName = US stateOrProvinceName = California localityName = San Jose organizationName = Brocade organizationalUnitName = Eng commonName = xx.xx.xx.xx Period Of Validity Begins On Mar 23 12:05:31 2021 GMT Expires On Mar 23 12:05:31 2023 GMT Certificate expiry date is Mar 23 12:05:31 2023 GMTFrom Err dump:
2023/03/22-23:59:35, [MAPS-1020], 549, FID 128, WARNING, SwitchA, Switch wide status has changed from HEALTHY to MARGINAL.
Resolution
Generate a self-signed HTTPS certificate.
- Verify if the certificate is updated using the following command.
seccertmgmt show -cert https
- Once the certificate is updated, It may take up to 24 hours for the switch status to change back to Healthy.
- Consider performing "hafailover" or "hareboot" if the Switch status is not changed to healthy.
SwitchA:admin> seccertmgmt generate -cert https -type rsa -keysize 2048 -hash sha256 -years 2 Generating a new certificate will do the following 1. Delete existing switch certificate(s). 2. Disable secure protocol HTTPS Warning: Certificate generation is CPU intensive and can cause high CPU usage Continue (yes, y, no, n): [no] y Generating ... ...Generated self-signed https certificate successfully. switchA:admin> seccertmgmt show -cert https Issued To countryName = US stateOrProvinceName = California localityName = San Jose organizationName = org organizationalUnitName = unit commonName = xx.xx.xx.xx Issued By countryName = US stateOrProvinceName = California localityName = San Jose organizationName = org organizationalUnitName = unit commonName = xx.xx.xx.xx Period Of Validity Begins On Nov 9 10:02:22 2023 GMT Expires On Nov 8 10:02:22 2025 GMT >> Certificate Updated
Affected Products
Connectrix B-SeriesArticle Properties
Article Number: 000220191
Article Type: Solution
Last Modified: 10 ربيع الأول 1447
Version: 2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.