Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gero_Stolle
Contributor

R80.10 - ICA renewed - mcc replace failed

Hello Mates,
I plan to upgrade a R80.10 standalone system, so I update first to the last Jumbo. 
but in between the ICA was outdated and no access to the Smartconsole was possible
so I did the ICA renew by following sk158096 and using the ICA_renewal_V7.sh not yet realizing that this script may be not valid for R80.10. 
I got following error in the last step when MCC replace should exchange the ICA  to the database:

Expert@fred:0]# ./ICA_renewal_V7.sh
Please note that sk158096 exists with all relevant information regarding this process.
It is recommended to take a snapshot before running this procedure.
This script makes critical changes.
Are you still want to renew the internal CA (y/n)? y

About to ask the Internal CA to sign again its own certificate.

Re-signing the Internal CA certificate finished successfully.

The new certificate is saved to file 'new_ica.cer'.

Note that the new certificate is not loaded into the objects database.
Use the following command to replace the ICA certificate in the objects database:
mcc replace internal_ca new_ica.cer

MCC: [ERROR] Failed to login.
MCC: CA objects not loaded.
MCC: Could not find CA internal_ca.
ICA certificate replacement in MGMT database failed. Exiting...

so I tried again
[Expert@fred:0]# mcc replace internal_ca new_ica.cer
MCC: [ERROR] Failed to login.
MCC: CA objects not loaded.
MCC: Could not find CA internal_ca.
[Expert@fred:0]#

but the log ist successful and the certs are there
[Expert@fred:0]# mcc lca
MCC: [ERROR] Failed to login.
MCC: CA Objects not loaded

echo $(pwd)/InternalCA.p12
/home/admin/InternalCA.p12

sicRenew -d
was successful too, so I have valid cert's now, only not able to add them to the database 
checked by 
cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: 2>/dev/null | cpopenssl x509 -noout -enddate
and
cpca_client lscert -stat Valid -kind SIC

I already asked my customer if the Admin Account which was used to established the system was deleted and substituted with a new account. 
May be this could be the reason  ?
-  any ideas for fixing this ? 

I would appreciate any input 

Thanks in Advance

Gero








 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

The ICA should have no connection to admin users.
There may be some additional corruption here and recommend engaging with the TAC.
Yes, R80.10 is End of Support, but since your goal is to complete an upgrade, you should be able to get assistance.

the_rock
Legend
Legend

I read your post very carefully and I have to agree with @PhoneBoy . It seems that something got corrupted and might be worth to check with support. Not sure if there is an easy way to fix this, but maybe debug would prove that.

0 Kudos
Gero_Stolle
Contributor

Thanks for Reply and hints, we plan to virtualize the system, going back in date and time, so that we have the old system before ICA timed out and then do the upgrade again and the ica renewal. That should work. TAC case is open, awaiting their ideas. 
best regards
Gero

0 Kudos
PhoneBoy
Admin
Admin

That might be your best bet for resolving this issue, actually (backdating the system or a clone of it and renew the ICA before it expires).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events