bptestbpcd A SSL socket connect failed:7625

AntBar · ‎01-15-2020

Hi all,

I need your help about this configuration. My master server is Windows 2012 R2. My client is CentOS 7.5.

Backup failed with 58 status "can't connect to client".

From client, bptestnetconn is OKAY
From master, bptestbpcd fails :

bptestbpcd -client xxxxx
<16>bptestbpcd main: Function ConnectToBPCD(xxxxx) failed: 7625
<16>bptestbpcd main: A SSL socket connect failed
A SSL socket connect failed

bptestbpcd -client xxxxx -verbose
<16>bptestbpcd main: Function ConnectToBPCD(xxxx) failed: 7625
<16>bptestbpcd main: A SSL socket connect failed
<16>bptestbpcd main: A SSL connect failed. Status: 1 Msg: certificate verify failed
: 7625
A SSL socket connect failed

So I'm searching in the certificate side but commands to test it are good :

/nbcertcmd -getCACertificate
CA certificate stored successfully from server mymaster

./nbcertcmd -getCertificate
Host certificate and certificate revocation list already exist for master server [mymaster]

./nbcertcmd -listCertDetails
Master Server : mymaster
Host ID : e3b3b597-5212-4134-8a41-28503477b683
Issued By : /CN=broker/OU=root@mymaster/O=vx
Serial Number : 0x45ae62300000008f
Expiry Date : nov. 20 10:44:25 2019 GMT
SHA1 Fingerprint : F7:D3:EA:75:D5:1E:00:CE:C6:2A:1B:CD:F8:74:95:47:67:D4:9A:3A

Operation completed successfully.

I don't know where I can find any solution to resolve this error. I've certainly forgot any configuration. Can you help me ?

davidmoline · ‎01-15-2020

Assuming that last nbcertcmd output was run on the client itself - the problem appears to be that the client certificate has expired (the expiry date is Nov 2019).
Try running the nbcertcmd -getCertificate again on the client using the -force option to overwrite the existing certificate (i.e. nbcertcmd -getCertificate -force).

Depending on the security mode you are running on the master, you may also need to provide a reissue token.

Cheers

AntBar · ‎01-16-2020

Thanks a lot !

What I have done :

./nbcertcmd -getcertificate -force
nbcertcmd: The -getCertificate operation failed for server mymaster
EXIT STATUS 5940: Reissue token is mandatory, please provide a reissue token.

I've reissue token from master

./nbcertcmd -getcertificate -token newtoken -force
Host certificate and certificate revocation list received successfully from server mymaster
./nbcertcmd -listcertdetails
Master Server : mymaster
Host ID : e3b3b597-5212-4134-8a41-28503477b683
Issued By : /CN=broker/OU=root@mymaster/O=vx
Serial Number : 0x4b881d6900000144
Expiry Date : janv. 15 09:02:18 2021 GMT
SHA1 Fingerprint : A4:78:8D:60:E7:07:B2:60:7D:7E:CB:6C:38:DF:5E:64:19:04:1F:DB

What's the recommended method to obtain list of client with expiration certifate shortly (in CLI) ?

Krutons · ‎01-16-2020

nbcertcmd -listAllDomainCertificates

You'd have to parse that to get the info you want.

davidmoline · ‎01-16-2020

In general this is not necessary as the certificates are automatically renewed about 6 months out from expiry. There must have been a reasson why your one did not.

If you are concerned look in the Certificate Management section of the admin console to examine the expiry dates for your hosts. [Edit] Missed the CLI request - what @Krutons said. You will need to perform a web login first (if you try it will tell you). So something like this:

C:\> bpnbat -login -logintype WEB
Authentication Broker: nbumaster
Authentication port [0 is default]:
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd, ldap): WINDOWS
Domain: EXAMPLE.COM
Login Name: administrator
Password: *********
Operation completed successfully.

VOX

bptestbpcd A SSL socket connect failed:7625