cancel
Showing results for 
Search instead for 
Did you mean: 

nbemmcmd -getCAcertificate fails with STATUS 8507: The certificate could not be verified.

oolmedo
Level 4

Hello,

I am installing a new Linux client 8.1.1 version. We have the error running the getCAcertificate, we have verified that name resolution between client and master is ok.

The bptestbpcd give us the following error:

bptestbpcd -client lvwgdmtstapp2 -verbose
<16>bptestbpcd main: Function ConnectToBPCD(lvwgdmtstapp2) failed: 7658
<16>bptestbpcd main: Connection cannot be established because the host validation cannot be performed on the target host
Connection cannot be established because the host validation cannot be performed on the target host

 

Thanks for your help, any advice is welcomed.

Best regards

 

10 REPLIES 10

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

Is port 1556 open between client and master?
Is Linux firewall (iptables) running on the client?

Try to telnet on port 1556 in both directions to test. 

Hello Marianne,

I forgot to say that pbx is running and the 1556 port is reachable by the master. Firewall is disabled in the client.

 

Thanks for your reply

 

Oolmedo

Also, yes 1556 port in both directions.

 

thanks

Hamza_H
Moderator
Moderator
   VIP   
Which command do you use?
Nbcertcmd -getcacertificate -force?
Nbcertcmd -getcertificate -force -token xxxxxx?

osvaldo_olmedo
Level 4
Partner Accredited

Hello,

I have used: nbcertcmd -getCAcertificate -server servername

 

thanks and best regards

Hamza_H
Moderator
Moderator
   VIP   

try this on the client and the master

bpclntcmd -clear_host_cache

and then this on the client :

nbcertcmd -getcacertificate -force

nbcertcmd -getcertificate -force -token (generate a new token from the master)

and put the output here.

also a snip of high verbo of nbcert log would be helpful

 

good luck.

BR

osvaldo_olmedo
Level 4
Partner Accredited

Hi,

-force option seems not be available.

nbcertcmd -getCAcertificate -help
Usage: nbcertcmd -getCACertificate
[-file <fingerprint_file_name>]
[-cluster]
[-server <master_server_name>]

Description:
Connects to the master server and gets the certificate of the Certificate
Authority (CA). It then displays the fingerprint of the certificate and adds
it to the local trust store after confirmation from the user.

Options:
-cluster
Performs the operation on the global certificate store.
-file fingerprint_file_name
Specifies the path of the file containing the CA certificate fingerprint.
-server master_server_name
Specifies an alternate master server. By default, this command uses the
first server entry in the NetBackup configuration.

 

Thanks and best regards

Hamza_H
Moderator
Moderator
   VIP   

Hi,

mybad, for the first command "nbcertcmd -getCacertificate" only,

the -force is for the second command "ncbertcmd -getcertificate -force"

are you able to ping the masters name?

are you able to telnet the port 1556 to the master?

if yes, verify the entry SERVER in netbackup's config on the client's registry if its a windows or the bp.conf if its a linux/unix.

when all these are good then rerun the commands and provide nbcert log (high verbo)

NB:please note the FQDN & Short name of both clients & masters (clients name on the master & master's name on the client)..

 

good luck,

osvaldo_olmedo
Level 4
Partner Accredited

Hello:

are you able to ping the masters name? Yes, no problem

are you able to telnet the port 1556 to the master? Yes no problem

if yes, verify the entry SERVER in netbackup's config on the client's registry if its a windows or the bp.conf if its a linux/unix. - Yes master server is the first line SERVER in bp.conf

From nbcert.log we see the following error:

NBClientCURL::performCurlOperation: Failed to perform operation: Peer certificate cannot be authenticated with given CA certificates

thanks and best regards

 

 

 

Hamza_H
Moderator
Moderator
   VIP   
Is this a new fresh installation ? Did you use to have a client with the same name?
Are you able to resolve client’s both name & ip from the master server? And from the master too?
Is the client’s bp.conf has the master stated with the short or the fqdn?

Please we need nbcertcmd whole log to verify where it stucks
Also, before doing another test, add this entry to the master’s bp.conf (if it is a linux/unix):
ENABLE_NBCURL_VERBOSE=1 (you can disable it after the test by change it to =0)
If it’s a windows, add the same key in the registry path key..(you can google it)
One more thing, could you please put the output of this commands from the client :
Bpclntcmd -pn
Bpclntcmd -hn <NAME_MASTER>
Bpclntcmd -ip <IP_MASTER>
Good luck</IP_MASTER></NAME_MASTER>