预装 4.2 image 的 APIC-SERVER-L3 以及 APIC-SERVER-M3,可能遇到证书不好用的问题

APIC-SERVER-L3 / M3 可能遇到的问题

APIC 无法完成 fabric discovery,leaf register 之后的状态可能一直卡在 inactive;

从 APIC UI 界面查看以下路径,会发现 SSL Certificate 显示为 na, 正常应该显示为 yes

System - Controllers - Controllers - APIC - Cluster as Seen by Nodes

LAB 截图:

参考文档

F3031 - Node Certificate is invalid: Failed to parse the subject line on new APIC-SERVER-L3 and M3

Symptom:
A new APIC-L3 or M3 server will not be able to complete fabric discovery. LLDP, "acidiag verifyapic," and other general checks will not exhibit a problem.

When you check the appliancedirector logs of a Cisco APIC within the cluster to which you are trying to add the affected controller, there will be messages indicating that the rejection is happening due to being unable to parse the certificate subject.

/var/log/dme/log/svc_ifc_appliancedirector.bin.log

|ifm||DBG4||co=ifm||listen fd = 16; accept()ed on fd= 52, incoming connection established from 1.2.3.4:12345||../common/src/ifm/./ServerEventHandler.cc||49
|crypto||DBG4||co=ifm||Peer Certificate Subject was also Cisco Manufacturing||../common/src/ifm/./PeerVerificationUtils.cc||506
|crypto||DBG4||co=ifm||Peer Certificate Subject was also Cisco Manufacturing||../common/src/ifm/./PeerVerificationUtils.cc||506

|crypto||ERROR||co=ifm||Failed to parse subject from peer SSL certificate (/CN=ASD1234567/serialNumber=PID:APIC-SERVER-L3 SN:ASD1234567)||../common/src/ifm/./PeerVerificationUtils.cc||287
|crypto||ERROR||co=ifm||Peer Certificate Subject is not in the expected format - REJECTING IFM SSL PEER CONNECTION||../common/src/ifm/./PeerVerificationUtils.cc||526

|ifm||DBG4||co=ifm||incoming SSL connection successfully established||../common/src/ifm/./Connection.cc||1234
|ifm||DBG4||fr=ifc_appliancedirector:2:5:17:0,co=ifm||HELLO request systemType : 2 and systemType from SSL handshake : 0 does not match.||../common/src/ifm/./Protocol.cc||948
|ifm||DBG4||fr=ifc_appliancedirector:2:5:17:0,co=ifm||received peer-verification-failed HELLO from peer, msgid 0x58949cf85000||../common/src/ifm/./Protocol.cc||971

Conditions:
This issue occurs with a new APIC-L3 or M3 server connected to leaf nodes in a correct fashion, but with an incorrect certificate installed by manufacturing.

Workaround:
Contact TAC to install a new certificate.

解决方法

需要为受影响的 APIC 生成新的证书,建议开 Cisco support TAC case,联系 TAC 来生成、安装新证书。