cancel
Showing results for 
Search instead for 
Did you mean: 

Client Certificate Expired

miketduffy
Level 3

Hi, 

Backup failed on server with;

Error bpbrm (pid=15908) [PROXY] Received status: 7625 with message A SSL connect failed. Status: 1 Msg: certificate verify failed

I checked the client and

/usr/openv/netbackup/bin/nbcertcmd -listCertDetails

Expiry Date : Sep 26 07:12:38 2019 GMT

 

Does anyone know who to update/refresh this? I have tried everything offered so far and nothing updates it

 

Thanks

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Thanks for all the suggestions but it appears it was as easy as this to fix;

 

It is necessary to adjust the Master Server's CLIENT_NAME parameter to match the value displayed in the Host column of the Host Management table.

Once done, attempts to add new clients or media servers should no longer result in EXIT STATUS 5987.

 

So edited bp.conf and removed the domain name. ran the nbcertcmd again and all fixed

 

Thanks again

View solution in original post

12 REPLIES 12

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

@miketduffy 

See if this section in the manual helps?

About reissuing host ID-based certificates

https://www.veritas.com/content/support/en_US/doc/21733320-127424841-0/v120989793-127424841

 

Hi

 

I had tried that and get this error 

 

Host certificate and certificate revocation list already exist for master server [brprdnbu001.iggroup.local]

sdo
Moderator
Moderator
Partner    VIP    Certified

I think you might have to show us all the steps that lead to the error, because there are several steps to re-issuing a token, and to re-using the re-issued token.

Krutons
Moderator
Moderator
   VIP   

Here is what I would suggest doing.

Go to Certificate Management under Security Management in the Admin Console.
Revoke the cert for the client you are having issues with.

On the client, run the following.
nbcertcmd -listCACertDetails
Copy the SHA1 Fingerprint and paste it in the next command
nbcertcmd -removeCACertificate -fingerPrint <paste here>
nbcertcmd -deleteAllCertificates
nbcertcmd -getCACertificate -server <master server>

Now generate a reissue token in the Admin Console for this client and copy that token, you will use it in the next command.

nbcertcmd -getCertificate -server <master server> -token

Paste the token when asked for it.

Now refresh the Host Management tab in the Admin Console and verify that there is now a green lock next to this client name.
Also, refresh the Certificate Mangement tab in the Admin Console and verify that the client now shows active.

 

If its just the client certificate that is expired, you do not need to delete anything..

simply create a reissue token for the client machine and then run the below command on the client

“nbcertcmd -getcertificate -token <reissue_token_created> -force”

**Note: reissue token is specific to a host and is not the same as a regular token

Hi

Thanks for the reply

I had tried this fix but get the following error when attempted.

 

/usr/openv/netbackup/bin/nbcertcmd -getcertificate -token WMHHRNSTIBAPUIKW -force
nbcertcmd: The -getCertificate operation failed for server MASTERSERVERNAME
EXIT STATUS 5965: The host ID associated with this reissue token is assigned to another host. You need to revoke the existing certificate for the host ID before you can reuse the host ID for this host.

Any ideas how to get around this?

 

thanks again

 

Hi

thanks for the response.

Tried the steps you suggest and get this error

 

nbcertcmd -getCertificate -server MASTERSERVER -token
Authorization Token:
nbcertcmd: The -getCertificate operation failed for server MASTERSERVER.
EXIT STATUS 5965: The host ID associated with this reissue token is assigned to another host. You need to revoke the existing certificate for the host ID before you can reuse the host ID for this host.

 

Any ideas?

Thanks

Hamza_H
Moderator
Moderator
   VIP   

Hello @miketduffy ,

try this :

 

on the master's console, generate a new re-issue token from the console (copy it and keep it).

then on the client, execute the command :

“nbcertcmd -getCertificate -force -token <reissue_token_created> ”

 

Then paste the result

 

BR.

H.

 

 

Hi

Although I have tried this I did do it again. This is the result

 

nbcertcmd -getCertificate -force -token LXGHMONRLBVPLIAD
nbcertcmd: The -getCertificate operation failed for server MASTERSERVERNAME.
EXIT STATUS 5965: The host ID associated with this reissue token is assigned to another host. You need to revoke the existing certificate for the host ID before you can reuse the host ID for this host.

Thanks for all the suggestions but it appears it was as easy as this to fix;

 

It is necessary to adjust the Master Server's CLIENT_NAME parameter to match the value displayed in the Host column of the Host Management table.

Once done, attempts to add new clients or media servers should no longer result in EXIT STATUS 5987.

 

So edited bp.conf and removed the domain name. ran the nbcertcmd again and all fixed

 

Thanks again

After the steps problem was resolved

thanks 

 

Dangerous_Dan
Level 5
Partner Certified

We had exactly the same issue - despite the client having the alias names in the host mapping. Why oh why is Netbackup master server not looking at these available details when being supplied with a reissue token! urgh..................