Dell Networking OS10: How to Run Certificate Update Directly from the OS10 Switch

Summary: How to run the OS10 certificate update script directly from the switch.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Table of Contents

  1. Requirements To Be Met
  2. Steps to Run Script from OS10 Switch
  3. Command Summary
  4. APT Removal and Cleanup
  5. Items to Take Note

Requirements To Be Met

  • Must have Internet access
  • Must have a working DNS configured (IP name-server)
  • Requires .zip or the extracted files transferred to one switch on local flash
  • Switch Sysadmin role user
  • Must not have "system-cli disable" configured

Steps to Run Script from OS10 Switch

  1. Configure the name-server

    OS10(config)# ip name-server <dnsserverip>

  2. Confirm can ping DNS name

    OS10# ping debian.org
PING debian.org (130.89.148.77) 56(84) bytes of data.
64 bytes from klecker-misc.debian.org (130.89.148.77): icmp_seq=1 ttl=45 time=123 ms
64 bytes from klecker-misc.debian.org (130.89.148.77): icmp_seq=2 ttl=45 time=123 ms
^C
--- debian.org ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms

  3. Copy file to local flash

    OS10# copy scp://root@<fileserverip>/cert_upgrade_script-3.zip home://cert_upgrade_script-3.zip
password:
OS10# dir home
Directory contents for folder: home
Date (modified)        Size (bytes)  Name
---------------------  ------------  ------------------------------------------
2021-05-18T00:28:45Z   8426          cert_upgrade_script-3.zip

  4. Move to a shell prompt. Install "unzip" and then install "except" (if the file is not extracted).

    leaf-2# system "sudo -i”

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for admin:
root@leaf-2:~# cd /home/admin/
root@OS10:/home/admin# apt-get update
Get:1 http://security.debian.org stretch/updates InRelease [53.0 kB]
<<snippet>>
Fetched 13.6 MB in 5s (2562 kB/s)
Reading package lists... Done
root@OS10:/home/admin# apt-get install unzip
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libevent-2.0-5 libfile-copy-recursive-perl openbsd-inetd update-inetd
Use 'apt autoremove' to remove them.
Suggested packages:
  zip
The following NEW packages will be installed:
  unzip
0 upgraded, 1 newly installed, 0 to remove and 78 not upgraded.
Need to get 172 kB of archives.
After this operation, 559 kB of additional disk space will be used.
Get:1 http://httpredir.debian.org/debian stretch/main amd64 unzip amd64 6.0-21+deb9u2 [172 kB]
Fetched 172 kB in 0s (354 kB/s)
Selecting previously unselected package unzip.
(Reading database ... 30678 files and directories currently installed.)
Preparing to unpack .../unzip_6.0-21+deb9u2_amd64.deb ...
Unpacking unzip (6.0-21+deb9u2) ...
Processing triggers for mime-support (3.60) ...
Setting up unzip (6.0-21+deb9u2) ...

root@OS10:/home/admin # apt-get install expect
<<snippet>>
Need to get 24.6 MB of archives.
After this operation, 186 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
<<snippet>

  5. Extract and chmod to change the file to executable

    root@OS10:/home/admin# unzip cert_upgrade_script-3.zip
Archive:  cert_upgrade_script-3.zip
  inflating: cert_upgrade_script/cert.py
  inflating: cert_upgrade_script/cert.sh
  inflating: cert_upgrade_script/hosts.txt
  inflating: cert_upgrade_script/newdelldefault.crt
  inflating: cert_upgrade_script/README.md
root@OS10:/home/admin# cd cert_upgrade_script
root@OS10:/home/admin/cert_upgrade_script# ls -l
total 31
-rw-r--r-- 1 root root  5019 Mar 25 14:52 README.md
-rw-r--r-- 1 root root  9464 Apr 12 15:02 cert.py
-rw-r--r-- 1 root root 11793 Apr 12 15:02 cert.sh
-rw-r--r-- 1 root root   128 Feb 26 17:17 hosts.txt
-rw-r--r-- 1 root root  2049 Mar  2 18:06 newdelldefault.crt
root@OS10:/home/admin/cert_upgrade_script# chmod +x cert.sh

  6. Run file to each switch IP or with a host file per readme.

    root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 -c
192.168.122.243 Vulnerable
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243
192.168.122.243 Success
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 -c
192.168.122.243 Not Vulnerable

  7. After running the script, check the LKB article (Dell Networking OS10 Certificate Expiration and Solution) for the next steps.

    ALERT: Flap the VLTi or reload switch based on KB steps for the cert to take effect.

Command Summary

Configuration Explanation
OS10(config)# ip name-server <dnsserverip> Configure DNS for APT to get needed files
OS10# ping debian.org Ensure Debian.org is reachable
OS10# copy scp://root@<fileserverip>/cert_upgrade_script-3.zip home://cert_upgrade_script-3.zip Copy script file to switch
leaf-2# system "sudo -i” Enter system bash as root
root@leaf-2:~# cd /home/admin/ Change to the user home directory where we downloaded the file
root@OS10:/home/admin# apt-get update Update current apt app table
root@OS10:/home/admin# apt-get install unzip Install unzip
root@OS10:/home/admin # apt-get install expect Install expect
root@OS10:/home/admin# unzip cert_upgrade_script-3.zip Extract cert update file
root@OS10:/home/admin# cd cert_upgrade_script Move into the script file
root@OS10:/home/admin/cert_upgrade_script# ls -l Check file permissions
root@OS10:/home/admin/cert_upgrade_script# chmod +x cert.sh Change cert.sh to executable
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 -c Check if the switch is vulnerable
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 Apply fix to switch by IP
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 -c Confirm not vulnerable after upgrade attempt.

Apt Removal and Cleanup

Configuration Explanation
root@OS10:/home/admin/cert_upgrade_script#apt-get remove unzip Remove unzip from the switch
root@OS10:/home/admin/cert_upgrade_script#apt-get remove expect Remove expect from the switch

Items to Take Note

  • The script does version checks if running lower than 10.4.3.x
    • If running lower than this version creates the message "running a version less than 10.4.3.x, upgrade to a newer version"
  • The script does a version check for greater than 10.5.1.0. (in script version v4)
    • The system not vulnerable if other switches in the cluster are also running 10.5.1.0 or later
    • Newer firmware may have affected cert however it is not in use as such can be ignored or upgraded without concern
  • Ensure to use ' (single quotes) if special characters are in the username or password on Linux.
  • If existing Linux OS, ensure expect version is 5.45 or greater

 

Affected Products

PowerSwitch S3048-ON, PowerSwitch S4048-ON, Dell EMC Networking MX5108n, Dell EMC Networking MX9116n, Dell EMC Networking N3200-ON, PowerSwitch S4048T-ON, PowerSwitch S4148U-ON, PowerSwitch S5148F-ON, PowerSwitch S5212F-ON, PowerSwitch S5224F-ON

Products

PowerSwitch S4112F-ON/S4112T-ON, PowerSwitch S4128F-ON/S4128T-ON, PowerSwitch S4148F-ON/S4148T-ON/S4148FE-ON, PowerSwitch S4248FB-ON /S4248FBL-ON, PowerSwitch S5232F-ON, PowerSwitch S5248F-ON, PowerSwitch S5296F-ON, PowerSwitch S6010-ON , PowerSwitch S6100-ON, PowerSwitch Z9100-ON, PowerSwitch Z9264F-ON, PowerSwitch Z9332F-ON, PowerSwitch Z9432F-ON ...
Article Properties
Article Number: 000188436
Article Type: How To
Last Modified: 23 Jul 2025
Version:  7
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.