topic Re: R80.10 - ICA renewed - mcc replace failed in General Topics

R80.10 - ICA renewed - mcc replace failed

Gero_Stolle — Fri, 25 Nov 2022 11:53:03 GMT

Hello Mates,
I plan to upgrade a R80.10 standalone system, so I update first to the last Jumbo.
but in between the ICA was outdated and no access to the Smartconsole was possible
so I did the ICA renew by following sk158096 and using the ICA_renewal_V7.sh not yet realizing that this script may be not valid for R80.10.
I got following error in the last step when MCC replace should exchange the ICA to the database:

Expert@fred:0]# ./ICA_renewal_V7.sh
Please note that sk158096 exists with all relevant information regarding this process.
It is recommended to take a snapshot before running this procedure.
This script makes critical changes.
Are you still want to renew the internal CA (y/n)? y

About to ask the Internal CA to sign again its own certificate.

Re-signing the Internal CA certificate finished successfully.

The new certificate is saved to file 'new_ica.cer'.

Note that the new certificate is not loaded into the objects database.
Use the following command to replace the ICA certificate in the objects database:
mcc replace internal_ca new_ica.cer

MCC: [ERROR] Failed to login.
MCC: CA objects not loaded.
MCC: Could not find CA internal_ca.
ICA certificate replacement in MGMT database failed. Exiting...

so I tried again
[Expert@fred:0]# mcc replace internal_ca new_ica.cer
MCC: [ERROR] Failed to login.
MCC: CA objects not loaded.
MCC: Could not find CA internal_ca.
[Expert@fred:0]#

but the log ist successful and the certs are there
[Expert@fred:0]# mcc lca
MCC: [ERROR] Failed to login.
MCC: CA Objects not loaded

echo $(pwd)/InternalCA.p12
/home/admin/InternalCA.p12

sicRenew -d
was successful too, so I have valid cert's now, only not able to add them to the database
checked by
cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: 2>/dev/null | cpopenssl x509 -noout -enddate
and
cpca_client lscert -stat Valid -kind SIC

I already asked my customer if the Admin Account which was used to established the system was deleted and substituted with a new account.
May be this could be the reason ?
- any ideas for fixing this ?

I would appreciate any input

Thanks in Advance

Gero

Re: R80.10 - ICA renewed - mcc replace failed

PhoneBoy — Fri, 25 Nov 2022 20:50:59 GMT

The ICA should have no connection to admin users.
There may be some additional corruption here and recommend engaging with the TAC.
Yes, R80.10 is End of Support, but since your goal is to complete an upgrade, you should be able to get assistance.

Re: R80.10 - ICA renewed - mcc replace failed

the_rock — Sat, 26 Nov 2022 13:57:22 GMT

I read your post very carefully and I have to agree with @PhoneBoy . It seems that something got corrupted and might be worth to check with support. Not sure if there is an easy way to fix this, but maybe debug would prove that.

Re: R80.10 - ICA renewed - mcc replace failed

Gero_Stolle — Mon, 28 Nov 2022 09:02:00 GMT

Thanks for Reply and hints, we plan to virtualize the system, going back in date and time, so that we have the old system before ICA timed out and then do the upgrade again and the ica renewal. That should work. TAC case is open, awaiting their ideas.
best regards
Gero

Re: R80.10 - ICA renewed - mcc replace failed

PhoneBoy — Mon, 28 Nov 2022 14:45:46 GMT

That might be your best bet for resolving this issue, actually (backdating the system or a clone of it and renew the ICA before it expires).