Solutions

Certificate verification failed

Solutions ID:    KB4172
Version:    10.0
Status:    Published
Published date:    11/16/2010
Updated:    03/31/2011
 

Problem Description

I am unable to access the user Interface on my Director appliance.

I have followed the instructions in KB3288, but I still see problems with my certificate, with this message "Certificate verification failed"  

Do the SG, and Directors appliance certificate link to each other, in some way? 

When requesting a client certificate from the SGME console, they are unable to do so.  Here is an example of the error:

  • director (config) # ssl request-appliance-certificate 
    • Requesting certificate
    • Verifying certificate
    • Certificate verification failed
  • director (config) #

Resolution

NOTE: The only thing that resolved this issue, after the below steps were followed, was to replace the entire appliance by a RMA.  I have documented what other steps we followed here in an effort to show more detail of what steps can be tried, but, in our case, failed.

This particular problem was caused by the Directors orignal  "birth Certificate" being corrupted, which was causing the certificate  we downloaded from abrca.bluecoat.com to fail *verification*. During manufacturing the key pair is generated and private key is stored in the eeprom and public key is stored in the ABRCA server with serial number. When a certificate fails to verify, it's because of corupt data stored in the eeprom.

At one point ,in our diagnosis below, we replaced the drive, but not the whole appliance.  Replacing the drive will not make any difference since the units birth certificate is stored in the box's EEPROM. 

1: After following the instructions on the above article, I see this output on my command line interface (CLI) screen.

Below is the error seen:
director (config) # ssl request-appliance-certificate 
Requesting certificate
Verifying certificate
Certificate verification failed
director (config) #

With this symptom, we will also noticed notice these messages in the logs.

Jun 25 12:56:21 director cli[2673]: <-cli.notice> admin@::ffff:172.31.34.155: Processing command: 1277488581882555:ssl request-appliance-certificate 
Jun 25 12:56:22 director configd: <configd.notice> Certificate retrieved OK
Jun 25 12:56:27 director configd: <configd.crit> Unable to verify cert. Failed to exec curl
Jun 25 12:56:27 director configd: <configd.crit> get_cert_auto(), cdm_ssl.c:513, build 000000: Error 1 returned, bailing out.

 

2:  Going to http://abrca.bluecoat.com/sign-manual/ and manualy creating the KEY produces the same results.

3: Replacing the Disk drive, via the RMA process, also produces the same result.

4: Bluecoat Customer care was asked to validate the customers serial number, and it all checked out, except the customer name. Once this was fixed, the symptom remained, though.

5: Both Domain Name System ( DNS) has to be configured, as well the the time has to be set correctly. SSL Certificates are time/date dependant, and will fail if not set correctly.

NOTE1: The only relation between a SG cert. and a Director cert. is that they are both signed by our CA named "ABRCA", at abrca.bluecoat.com

NOTE2: 'curl' is a utility that Director uses to pull files, and this case, the certificate,  from the
SG via the network.

NOTE3:  For information on how to update your SSL appliance certificate, see   KB3288

NOTE4: A technical buliten has also been published on this. TFA49


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question