ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Commodore
Commodore
399 views

Expired certificate on port 29120

We're seeing errors like the following in /opt/netiq/npum/logs/unifid.log:

Mon Dec 14 12:53:02 2020, 332, 2857514752, 2026, Warning, Peer certificate [CN = <FM hostname>] has expired: Wed Dec 09 09:09:49 2020
Mon Dec 14 12:53:02 2020, 333, 2857514752, 2026, Error, Peer verification error for <FM hostname>(<FM IP>) accessing regclnt.svcInfo unable to get issuer certificate

If I look at the certificate on port 29120 of this host, the Framework Manager console, I see it expired. This is not the certificate we installed on the Framework Manager console for https traffic but one that seems to be used for internal communication between agents. What happens when this certificate expires? How do we generate a new certificate?

Looks like this is preventing us from looking at the Credential Vault and info on agents in Console->Hosts.

0 Likes
2 Replies
Commodore
Commodore

I restarted the PAM daemon on the FM console server with /etc/init.d/npum but the cert wasn't recreated. I then rebooted the server a few hours later and the cert was rebuilt. Should the restart of the daemon fixed the cert issue?

0 Likes
Micro Focus Expert
Micro Focus Expert

Is this a Manager or Agent server? If a Manager, is this the Primary or a Backup Manager?
Peer certificates should auto-renew with other manager servers when they become expired. Usually when this does not occur and there is a peer certificate that has been expired for sometime, it suggests there is some network communication problem with the manager it is scheduled to renew it's certificate with. You would likely see "Failed to connect" messages in the unifid.log as well, which will help pinpoint to which server(s) it needs to send requests to.
One way to force this would be to re-register the host with the manager to which it was previously registered with using the same host details such as name, ip/dns, etc. (this should be prefilled as a default when trying the register command again on the server).
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.