Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Article Number: 000200985

Connectrix: Switch Status Listed as MARGINAL Due to an Expired Certificate

Summary: The switch health report in the MAPS dashboard lists the switch as MARGINAL due to an expired certificate.

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content

Symptoms

switch > mapsdb --show
 
  • One Dashboard Information:
DB start time:Sun Aug 11 04:44:32 2019
Active policy:dflt_base_policy
Configured Notifications:SW_CRITICAL,SW_MARGINAL
Fenced circuits :N/A
Quarantined Ports :None
Top Zoned PIDs <pid(it-flows)>:0x020100(9) 0x020000(9) 0x020924(2) 0x020500(2) 0x020a1b(2) 
  • Switch Health Report:
Current Switch Policy Status: MARGINAL
Contributing Factors:
---------------------
*EXPIRED_CERTS (MARGINAL).

The RAS log may also contain a message indicating that MAPS has detected an expired certificate, and that the switch status is now MARGINAL: 
2022/06/26-17:16:37, [MAPS-1021], 8, FID 128, WARNING, sw0, RuleName=defCHASSISCERTS_EXPIRED, Condition=CHASSIS(EXPIRED_CERTS>0), Obj:Chassis [ EXPIRED_CERTS,1 certs]
2022/06/26-17:16:37, [MAPS-1020], 9, FID 128, WARNING, sw0, Switch wide status has changed from HEALTHY to MARGINAL

The output of the below command indicates that the certificate is not expired: 
seccertmgmt show -cert <cert_type>
Example: 
sw0:admin> seccertmgmt show -cert https

Issued To
<output truncated>
Period Of Validity
Begins On Jul 4 19:50:28 2016 GMT
Expires On Jul 11 19:50:28 2056 GMT

Cause

Due to a limitation in the base operating system of a FOS switch, certificates with an expiration date after January 17, 2038 are considered expired. As a result, MAPS identifies the certificate as expired and places the switch in a MARGINAL state.

Resolution

Install a new certificate with an expiration date before January 17, 2038 onto the switch. Once installation is complete, the MARGINAL state is cleared within 24 hours upon the next check by MAPS for expired certificates.

Review article 21007 to generate a CSR certificate (login with a Dell account is required to view):
Connectrix: How to generate CSR certificate and install on the switch to address SSH vulnerability issues.

Additional Information

In situations where any of the CA chains has an expiry date of 2038, this issue can also occur. 

Follow the below procedure to get the complete certificate chain which is installed on the switch:

  1. Log in to the switch as root.
  2. Run the below command:
cd /etc/fabos/certs/https
  1. Check the directory listing with the following command:
s -ltr
  1. Run the following command:
scp * <remote username>@<remote IP>:<remote dir>

Example:

scp * username@19x.16x.0.1:/file/location

Article Properties

Affected Product

Connectrix B-Series Hardware

Last Published Date

23 Jan 2024

Version

6

Article Type

Solution

Back to Top