slbgbeh Valued Contributor.
Valued Contributor.
1882 views

SSL certificate verification error (The presented peer certificate has expired.)

Certificate is granted from management server to agent. But I keep getting  SSL certificate verification error (The presented peer certificate has expired.) Both date and time in agent and management server are sync.

# /opt/OV/bin/ovc
(ctrl-21) Communication error when executing 'Status' method.
 (sec.core-113) SSL certificate verification error (The presented peer certificate has expired.).

# /opt/OV/bin/ovcert -check
OvCoreId set                       : OK
Private key installed              : OK
Certificate installed              : OK
Certificate valid                  : FAILED
Trusted certificates installed     : OK
Trusted certificates valid         : OK

Tags (1)
0 Likes
10 Replies
slbgbeh Valued Contributor.
Valued Contributor.

Re: SSL certificate verification error (The presented peer certificate has expired.)

# /opt/OV/bin/ovcert -list

+---------------------------------------------------------+
| Keystore Content                                        |
+---------------------------------------------------------+
| Certificates:                                           |
|     2bbc59a6-ba40-759e-0ca1-cd44c4368d1f (*)            |
+---------------------------------------------------------+
| Trusted Certificates:                                   |
|     CA_ca8930ce-3635-7536-126f-f56a1c7abf01             |
|     CA_e86c2fb2-644b-755e-14e9-bc90aaa8abb8             |
|     CA_e86c2fb2-644b-755e-14e9-bc90aaa8abb8_2048        |
+---------------------------------------------------------+

0 Likes
Gediminas Daniu Outstanding Contributor.
Outstanding Contributor.

Re: SSL certificate verification error (The presented peer certificate has expired.)

Hi,

is time correctly set on  OML or OMA node?  What is is "Valid to"  time in the output of
ovcert -certinfo  <dertificate>

my 2 cents,
Gedas

 

0 Likes
slbgbeh Valued Contributor.
Valued Contributor.

Re: SSL certificate verification error (The presented peer certificate has expired.)

I have checked all the "Valid to" date and all are not expired. I have tried to change the coreid and request for a new cert. The new cert are granted and installed but still getting the same error.

0 Likes
Gediminas Daniu Outstanding Contributor.
Outstanding Contributor.

Re: SSL certificate verification error (The presented peer certificate has expired.)

Then it should be  agent's or server's OS date/time issue.

regards,
Gedas

 

0 Likes
slbgbeh Valued Contributor.
Valued Contributor.

Re: SSL certificate verification error (The presented peer certificate has expired.)

I checked the sysdate and OS time (sync to NTP). I don't see any issues.

[eaagt.sysdata]
<snip ...>
timestamp=Thu Apr 19 09:58:52 2018

 

 

0 Likes
Gediminas Daniu Outstanding Contributor.
Outstanding Contributor.

Re: SSL certificate verification error (The presented peer certificate has expired.)

What is your agent version and platform? Are you runing OMi or OML ? If you are runing old OML 9 and OMA12, then have a look to https://community.softwaregrp.com/t5/Systems-Management-OpenView-OP/SSL-certificate-verification-error-The-presented-peer/td-p/1634864

regards

Gedas

0 Likes
slbgbeh Valued Contributor.
Valued Contributor.

Re: SSL certificate verification error (The presented peer certificate has expired.)

# opcsv -version
@(#)HP Operations Manager 09.21.130 ITOSOL_00819 (03/31/16)
#
#  what libOvSecCm.so
libOvSecCm.so:
        BegWS    :1.0
        CR       :(c) Copyright 2000-2013 Hewlett-Packard Development Company, L.P.
        Name     :HP Software Certificate Management
        Ver      :11.13.007
        FileN    :libOvSecCm.so
        FileV    :11.13.007
        Rtype    :Released
        CBID     :2013-10-01_2300
        OS       :Solaris
        OSV      :8 9 10
        Arch     :SPARC
        Bits     :32
        Desc     :Certificate Management Library
        Build    :0000
        BuildOS  :SunOS 5.8
        Compiler :CC: Sun C++ 5.8 Patch 121017-20 2009/04/22
        EndWS    :

0 Likes
EvoRedaSky Trusted Contributor.
Trusted Contributor.

Re: SSL certificate verification error (The presented peer certificate has expired.)

Hi,

If your Management Server is an Operation Manager under version 9.2x (OM)  with Operations Agent 12.00.xx installed on, you can try the following solution. (It works for me)

Before providing the solution, lets me describe the problem :

Cause :

The problem is with L-core agent component which allows management server to manage certificates requests (generate, deny....), this library is libOvSecCm.so. It's build based on openssl.

For my case i have Operations Manager 9.2 installed on an HP-UX 11.31, the file location is below : /opt/OV/lib/hpux32/libOvSecCm.so

Try to see the content of the file by running what command :

*****************************************************************************************************************************

#what /opt/OV/lib/hpux32/libOvSecCm.so
/opt/OV/lib/hpux32/libOvSecCm.so:
BegWS :1.0
CR :(c) Copyright 2000-2012 Hewlett-Packard Development Company, L.P.
Name :HP Software Certificate Management
Ver :11.02.240
FileN :libOvSecCm.so
FileV :11.02.240
Rtype :Released
CBID :20120307_0657
OS :HP-UX
OSV :11.23 11.31
Arch :IPF32
Bits :32
Desc :Certificate Management Library
Build :0000
BuildOS :HP-UX B.11.23
Compiler :aCC: HP aC++/ANSI C B3910B A.06.05 [Jul 25 2005]
EndWS :

***********************************************************************************************************************************************

As seen the version of the library is 11.02.

Solution :

This issue have been fixed on the Operations Agent version 12.05.

So you need to update the Operations Agent on the management Server to the 12.05.

Step 1 : Update OA on Management Server :

Make a backup of you Management Server (Database and FS)

Stop all ovc services : #ovc -  stop; #ovc -kill

mount the iso file of the OA 12.05 (-Do a checksum when the file is uploaded to the server, it's very recommanded )

Start all ovc services : #ovc -start

Check the OA version on the OM : # opcagt -version (it should be 12.05)

Now the agens have been updated.

Step 2 : Check the new library (It should be like this) :

/opt/OV/lib/hpux32/libOvSecCm.so:
BegWS :1.0
CR :(c) Copyright 2000-2017 Hewlett-Packard Enterprise Development Company, L.P.
Name :HPE Software Certificate Management
Ver :12.05.006
FileN :libOvSecCm.so
FileV :12.05.006
Rtype :Released
CBID :2017-11-16_1500
OS :HP-UX
OSV :11.23 11.31
Arch :IPF32
Bits :32
Desc :Certificate Management Library
Build :0000
BuildOS :HP-UX B.11.23
Compiler :aCC: HP C/aC++ B3910B A.06.25 [Nov 30 2009]
EndWS :

Step 3 : Remove the old certificate on the problematic node and request new certificates :

On the problematic Node :

#ovcert -list; Take a note of all certificates aliases shown

#ovcert -remove; remove all certificates

#ovcert -list; ensure that the keystore content is blank

#opcagt -stop

#opcagt -cleanstart

On the OM side :

#ovcm -listpending -l ( to see the list of pending certificates)

#ovcm -grant <request-id>, where <request-id> is the id of the requests generated by the problematic node.

That all !

I hope it will solves your issue, please mark as solution accepted if this is the case.

Good Luck !

 
 
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: SSL certificate verification error (The presented peer certificate has expired.)

Hello,

I think the problem is related to certificate server being 32 bit and date range.

With 32 bit date, the max date is January 2038. Agent certificates are created with 20 year validity and thus if you create a certificate now, it will have an invalid expiration date.

This affects OMU servers on Solaris and HP-UX. OM Linux was 64 bit from the get go and is not affected.

Possible workarounds:
- If you have a MoM environment with OML or OMi servers, you can create certificate on one of those.
- Temporarily set date back when creating certificates.
- Have date of one of your OMU servers (e.g. Dev server) set back to 2017 and create certificates there.

 

Best regards,
Tobias

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SSL certificate verification error (The presented peer certificate has expired.)

Hello,

There is a CR for this: QCCR8D100844

https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-/facetsearch/document/LID/QCCR8D100844

Please open a support case if you need a hotfix.

Best regards,
Tobias

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.