This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Expired certificate on port 29120

We're seeing errors like the following in /opt/netiq/npum/logs/unifid.log:

Mon Dec 14 12:53:02 2020, 332, 2857514752, 2026, Warning, Peer certificate [CN = <FM hostname>] has expired: Wed Dec 09 09:09:49 2020
Mon Dec 14 12:53:02 2020, 333, 2857514752, 2026, Error, Peer verification error for <FM hostname>(<FM IP>) accessing regclnt.svcInfo unable to get issuer certificate

If I look at the certificate on port 29120 of this host, the Framework Manager console, I see it expired. This is not the certificate we installed on the Framework Manager console for https traffic but one that seems to be used for internal communication between agents. What happens when this certificate expires? How do we generate a new certificate?

Looks like this is preventing us from looking at the Credential Vault and info on agents in Console->Hosts.

  • 0

    I restarted the PAM daemon on the FM console server with /etc/init.d/npum but the cert wasn't recreated. I then rebooted the server a few hours later and the cert was rebuilt. Should the restart of the daemon fixed the cert issue?

  • 0  
    Is this a Manager or Agent server? If a Manager, is this the Primary or a Backup Manager?
    Peer certificates should auto-renew with other manager servers when they become expired. Usually when this does not occur and there is a peer certificate that has been expired for sometime, it suggests there is some network communication problem with the manager it is scheduled to renew it's certificate with. You would likely see "Failed to connect" messages in the unifid.log as well, which will help pinpoint to which server(s) it needs to send requests to.
    One way to force this would be to re-register the host with the manager to which it was previously registered with using the same host details such as name, ip/dns, etc. (this should be prefilled as a default when trying the register command again on the server).