HiveAgent ServerCertificateInfo................ Peer certificate cannot be authenticated with given CA certificates

  • 1
  • Question
  • Updated 5 months ago
New SR2208 will not connect to HMNG, I get the following error when displaying (show hivemanager status). I opened a ticket but figured I would reach out to you guys to see if anyone has seen this before, very frustrating as the AP's came online right away but the switch wont connect.

HiveAgent Version.............................. 0.2.57HiveAgent Status............................... CONTACTING REDIRECTOR
HiveAgent AssociationUrl....................... -
HiveAgent AssociationMethod.................... REDIRECTOR
HiveAgent PollUrl.............................. -
HiveAgent RedirectorFQDN....................... cloud-rd.aerohive.com
HiveAgent ServerCertificateInfo................ Peer certificate cannot be authenticated with given CA certificates
Photo of Rob Burgoyne

Rob Burgoyne

  • 19 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Roberto Minotti

Roberto Minotti, Employee

  • 51 Posts
  • 5 Reply Likes
Hi Rob,

In this case, the switch, cannot establish an encrypted connection because the timestamp mismatch.
in order to have an encrypted connection with the HiveManager, every switch must have a correct date. You have to enable sntp then. Check if a firewall is blocking NTP, the DNS is able to resolve the FQDN of your NTP and your DHCP is providing the clock server. 

Ciao
Roberto 
Photo of Rob Burgoyne

Rob Burgoyne

  • 19 Posts
  • 0 Reply Likes
Roberto, 

Thanks for the reply, I had my DHCP already configured to provide the correct NTP and DNS servers and I verified time is correct and hostnames are resolving. I think this customer has a web proxy but the AP's came online without a problem, just not the SR2208P. 
Photo of Roberto Minotti

Roberto Minotti, Employee

  • 51 Posts
  • 5 Reply Likes
Rob, update your HiveAgent to the latest 0.2.78 release.
Photo of Rob Burgoyne

Rob Burgoyne

  • 19 Posts
  • 0 Reply Likes
How do you upgrade the HiveAgent? I manually upgraded code from 1.0.1.13 to 1.0.1.19 and that didn't resolve the issues. 
Photo of Roberto Minotti

Roberto Minotti, Employee

  • 51 Posts
  • 5 Reply Likes
HiveAgent will be update by itself once the link to HiveManager is established (like software version). If you cannot solve the connectivity issue, there is something else to check it out. A good start point for any doubt is:

http://docs.aerohive.com/330000/docs/guides/Aerohive-Switch-Deployment-Essentials.pdf

Upgrading HiveAgent manually is not recommended if you don't know what you're doing. Call the support in order to easily fix your problem.
Ciao
Photo of Wago Louage

Wago Louage

  • 1 Post
  • 0 Reply Likes
I'm having the same issues described as above, what did you do to fix it?
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
If you have console access, try running "show hivemenager status" make sure you can ping the address and that the ports Roberto mentioned are not being blocked by a firewall.

Best,
BJ
Photo of Roberto Minotti

Roberto Minotti, Employee

  • 51 Posts
  • 5 Reply Likes
Another way to upgrade the agent is via HTTP management console (ip http server).
You need to download the stk file from support (right now is v1.0.1.20_20160713.stk) and go under

System > Firmware > Configuration and Upgrade

and upgrade it. You have to reboot the switch in order to activate the right slot partition.
Roberto
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
I have a similar case, I am also getting the "Peer certificate cannot be authenticated with given CA certificates" message - BUT:

- When connecting to our NG-VM, not the Redirector
- Switch was connected once, upgraded its Hiveagent to 1.0.8.0, and since then it cannot connect anymore
- I verified DNS & NTP, all good
- I manually updated the Switch firmware from 1.0.1.13 to 1.0.1.20, no change

I check the CLI and HTTPS interface and could not find a way to upload a CA certificate...

Anyone another idea?

PS: I have also opened a support ticket, waiting for an answer...


(AH-Switch) #show hivemanager status

HiveAgent Version.............................. 1.0.8.0
HiveAgent Status............................... CONNECTING TO HIVEMANAGER
HiveAgent AssociationUrl....................... https://<ngvm-fqdn>/hac-webapp/rest/v1/association
HiveAgent AssociationMethod.................... CLI
HiveAgent PollUrl.............................. -
HiveAgent HiveManagerResponse.................. CURL code [60], HTTP code [0], Curl string = [Peer certificate cannot be authenticated with given CA certificates]
HiveAgent ServerCertificateInfo................ Peer certificate cannot be authenticated with given CA certificates
Photo of Roberto Minotti

Roberto Minotti, Employee

  • 51 Posts
  • 5 Reply Likes
what "show logging buffered" is saying ?
Photo of Chris B

Chris B, Official Rep

  • 93 Posts
  • 10 Reply Likes
Hi Carsten

Is the clock timezone / date definitely set correctly?  Normally this message indicates an issue with time mismatch.

Chris
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Hi Roberto & Chris,

I had SNTP configured successfully, not sure why it now tells me that it is not... the time, however, is correct:

(AH-Switch) #show clock

09:41:40 (UTC+0:00) May 12 2017
No time source

(AH-Switch) #show sntp

Last Update Time: May 11 21:50:02 2017 (UTC+0:00)
Last Unicast Attempt Time: May 11 22:43:16 2017 (UTC+0:00)
Last Attempt Status: Server Kiss Of Death

Broadcast Count: 0

I am in GMT+2, and we have 09:41:40 - so that fits.

Here is the full result from "show logging buffer":

<13> May 12 09:35:36 10.255.222.17-1 TRAPMGR[trapTask]: traputil.c(721) 143096 %% Session 0 of type 1 started for user admin connected from EIA-232.
<13> May 12 09:34:16 10.255.222.17-1 TRAPMGR[dot1s_task]: traputil.c(763) 142978 %% Spanning Tree Topology Change Received: MSTID: 0 1/0/10
<13> May 12 09:34:14 10.255.222.17-1 TRAPMGR[dot1s_task]: traputil.c(763) 142977 %% Spanning Tree Topology Change Received: MSTID: 0 1/0/10
<13> May 12 09:34:12 10.255.222.17-1 TRAPMGR[dot1s_task]: traputil.c(763) 142953 %% Spanning Tree Topology Change Received: MSTID: 0 1/0/10
<13> May 12 09:34:10 10.255.222.17-1 TRAPMGR[dot1s_task]: traputil.c(763) 142952 %% Spanning Tree Topology Change Received: MSTID: 0 1/0/10
<13> May 11 22:43:16 10.255.222.17-1 SNTP[SNTP]: sntp_client.c(462) 65812 %% SNTP: Received KoD packet from 162.23.41.55 - Kiss Code = RATE
<13> May 11 15:14:51 10.255.222.17-1 TRAPMGR[trapTask]: traputil.c(721) 12647 %% Session 0 of type 1 ended for user admin connected from EIA-232.
<14> May 11 15:14:51 10.255.222.17-1 CLI_WEB[UtilTask]: login_sessions.c(179) 12646 %% Serial Session 0 ended for user admin connected from EIA-232
<14> May 11 15:08:10 10.255.222.17-1 General[procLOG]: procmgr.c(808) 11881 %% Application Started (hiveagent, ID = 13, PID = 1838
<13> May 11 15:08:10 10.255.222.17-1 General[procLOG]: procmgr.c(2444) 11880 %% Administrative Command:app-start hiveagent
<14> May 11 15:08:04 10.255.222.17-1 General[procLOG]: procmgr.c(3685) 11879 %% Application Terminated (hiveagent, ID = 13, PID = 2651
<13> May 11 15:08:04 10.255.222.17-1 General[procLOG]: procmgr.c(2455) 11875 %% Administrative Command:app-stop hiveagent
<13> May 11 15:07:24 10.255.222.17-1 TRAPMGR[trapTask]: traputil.c(721) 11782 %% Session 0 of type 1 started for user admin connected from EIA-232.
<13> May 11 15:04:34 10.255.222.17-1 TRAPMGR[trapTask]: traputil.c(721) 11464 %% Session 0 of type 1 ended for user admin connected from EIA-232.
<14> May 11 15:04:34 10.255.222.17-1 CLI_WEB[UtilTask]: login_sessions.c(179) 11463 %% Serial Session 0 ended for user admin connected from EIA-232
<13> May 11 14:58:10 10.255.222.17-1 TRAPMGR[trapTask]: traputil.c(721) 10744 %% Session 0 of type 1 started for user admin connected from EIA-232.
<13> May 11 14:04:46 10.255.222.17-1 TRAPMGR[trapTask]: traputil.c(721) 4354 %% Session 0 of type 1 ended for user admin connected from EIA-232.
<14> May 11 14:04:46 10.255.222.17-1 CLI_WEB[UtilTask]: login_sessions.c(179) 4353 %% Serial Session 0 ended for user admin connected from EIA-232
<13> May 11 13:58:45 10.255.222.17-1 TRAPMGR[trapTask]: traputil.c(721) 3635 %% Session 0 of type 1 started for user admin connected from EIA-232.
<13> May 11 13:50:42 10.255.222.17-1 TRAPMGR[trapTask]: traputil.c(721) 2712 %% Session 0 of type 1 ended for user admin connected from EIA-232.
<14> May 11 13:50:42 10.255.222.17-1 CLI_WEB[UtilTask]: login_sessions.c(179) 2711 %% Serial Session 0 ended for user admin connected from EIA-232
<13> May 11 13:45:32 10.255.222.17-1 TRAPMGR[trapTask]: traputil.c(721) 2112 %% Session 0 of type 1 started for user admin connected from EIA-232.
<13> May 11 13:42:09 10.255.222.17-1 TRAPMGR[trapTask]: traputil.c(721) 1674 %% Session 0 of type 1 ended for user admin connected from EIA-232.
<14> May 11 13:42:09 10.255.222.17-1 CLI_WEB[UtilTask]: login_sessions.c(179) 1673 %% Serial Session 0 ended for user admin connected from EIA-232
<13> Jan 1 00:02:48 10.255.222.17-1 TRAPMGR[trapTask]: traputil.c(721) 233 %% Link Up: 1/0/1
<13> Jan 1 00:02:31 10.255.222.17-1 TRAPMGR[SNMPCfgTask]: traputil.c(763) 204 %% Cold Start: Unit: 0
<13> Jan 1 00:02:12 10.255.222.17-1 TRAPMGR[dot1s_task]: traputil.c(763) 149 %% Spanning Tree Topology Change Received: MSTID: 0 1/0/10
<13> Jan 1 00:02:10 10.255.222.17-1 TRAPMGR[trapTask]: traputil.c(721) 147 %% Link Down: 1/0/1
<13> Jan 1 00:02:10 10.255.222.17-1 TRAPMGR[dot1s_task]: traputil.c(763) 145 %% Spanning Tree Topology Change Received: MSTID: 0 1/0/10
<13> Jan 1 00:01:48 10.255.222.17-1 TRAPMGR[trapTask]: traputil.c(721) 123 %% Link Up: 1/0/1
<13> Jan 1 00:01:45 10.255.222.17-1 TRAPMGR[trapTask]: traputil.c(721) 120 %% Link Down: 1/0/1
<13> Jan 1 00:01:44 10.255.222.17-1 SIM[DHCPv4 Client T]: sim_net_port.c(232) 118 %% Network port IPv4 address has been set to 10.255.222.17.
<14> Jan 1 00:01:44 0.0.0.0-1 DHCP_CLI[DHCPv4 Client T]: dhcp_prot.c(320) 117 %% get_tag: Unsupported subOption(6) in VendorSpecific Option in received DHCP pkt
<14> Jan 1 00:01:44 0.0.0.0-1 DHCP_CLI[DHCPv4 Client T]: dhcp_prot.c(2415) 116 %% The Network Interface management address is 10.255.222.17 (via DHCP)
<14> Jan 1 00:01:44 0.0.0.0-1 DHCP_CLI[DHCPv4 Client T]: dhcp_prot.c(320) 115 %% get_tag: Unsupported subOption(6) in VendorSpecific Option in received DHCP pkt
<13> Jan 1 00:01:42 0.0.0.0-1 TRAPMGR[dot1s_task]: traputil.c(763) 114 %% Spanning Tree Topology Change: 0, Unit: 1
<13> Jan 1 00:01:42 0.0.0.0-1 TRAPMGR[dot1s_task]: traputil.c(763) 113 %% Spanning Tree Topology Change Received: MSTID: 0 1/0/10
<13> Jan 1 00:01:42 0.0.0.0-1 TRAPMGR[dot1s_task]: traputil.c(763) 112 %% Spanning Tree Topology Change Received: MSTID: 0 1/0/10
<13> Jan 1 00:01:42 0.0.0.0-1 TRAPMGR[trapTask]: traputil.c(721) 111 %% Link Up: 1/0/1
<13> Jan 1 00:01:39 0.0.0.0-1 TRAPMGR[trapTask]: traputil.c(721) 109 %% Link Up: 1/0/10
<13> Jan 1 00:01:39 0.0.0.0-1 TRAPMGR[trapTask]: traputil.c(721) 107 %% Entity Database: Configuration Changed
<13> Jan 1 00:01:37 0.0.0.0-1 TRAPMGR[trapTask]: traputil.c(721) 106 %% Session 0 of type 1 started for user admin connected from EIA-232.
<14> Jan 1 00:01:35 0.0.0.0-1 UNITMGR[unitMgrTask]: unitmgr.c(2640) 105 %% Power On Start complete on unit 1
<14> Jan 1 00:01:34 0.0.0.0-1 DNS_CLI[dnsTask]: dns_client_txrx.c(719) 100 %% DNS Client: Failed to send query packet. Can't reach DNS server at 255.255.255.255.
<14> Jan 1 00:01:34 0.0.0.0-1 DNS_CLI[dnsTask]: dns_client_txrx.c(719) 99 %% DNS Client: Failed to send query packet. Can't reach DNS server at 255.255.255.255.
<14> Jan 1 00:01:34 0.0.0.0-1 General[procLOG]: procmgr.c(808) 96 %% Application Started (hiveagent, ID = 13, PID = 2651
<13> Jan 1 00:01:34 0.0.0.0-1 General[procLOG]: procmgr.c(2444) 95 %% Administrative Command:app-start hiveagent
<14> Jan 1 00:01:34 0.0.0.0-1 General[procLOG]: procmgr.c(808) 94 %% Application Started (lighttpd, ID = 3, PID = 2645
<14> Jan 1 00:01:34 0.0.0.0-1 General[procLOG]: procmgr.c(3685) 93 %% Application Terminated (lighttpd, ID = 3, PID = 1802
<14> Jan 1 00:01:33 0.0.0.0-1 SSLT[ssltTask]: sslt_util.c(558) 86 %% SSLT: Successfully loaded all required SSL PEM files
<14> Jan 1 00:01:33 0.0.0.0-1 CLI_WEB[UtilTask]: util.c(908) 85 %% Restarting lighttpd on HTTP port 80.
<14> Jan 1 00:01:33 0.0.0.0-1 AUTO_INST[emWeb]: auto_install_control.c(1354) 84 %% AutoInstall is stopped.
<13> Jan 1 00:01:33 0.0.0.0-1 TRAPMGR[PoE Req]: traputil.c(763) 83 %% PoE: 1/0/1 power up
<13> Jan 1 00:01:33 0.0.0.0-1 SIM[emWeb]: sim_util.c(3831) 82 %% Switch firmware operational: Aerohive SR2208P: 8 GE POE+ ports, 2 GE dual media ports, 1.0.1.20, Linux 3.6.5
<14> Jan 1 00:01:33 0.0.0.0-1 UNITMGR[cmgrInsertTask]: unitmgr.c(7954) 80 %% No Potential unit to configure as Standby when unit 1 joined
<14> Jan 1 00:01:32 0.0.0.0-1 SSLT[ssltTask]: sslt_util.c(558) 79 %% SSLT: Successfully loaded all required SSL PEM files
<14> Jan 1 00:01:32 0.0.0.0-1 SSHD[sshdEvTask]: sshd_control.c(411) 78 %% sshdEventAdminModeSet success, event=0
<14> Jan 1 00:01:32 0.0.0.0-1 General[procLOG]: procmgr.c(808) 77 %% Application Started (opensshd, ID = 9, PID = 2603
<13> Jan 1 00:01:32 0.0.0.0-1 General[procLOG]: procmgr.c(2444) 76 %% Administrative Command:app-start opensshd
<14> Jan 1 00:01:32 0.0.0.0-1 CLI_WEB[emWeb]: cli_txtcfg.c(429) 75 %% FAIL CMD: 'no set slot disable 1/0'
<14> Jan 1 00:01:32 0.0.0.0-1 CLI_WEB[emWeb]: cli_txtcfg.c(429) 74 %% FAIL CMD: 'set slot power 1/0'
<14> Jan 1 00:01:31 0.0.0.0-1 CLI_WEB[emWeb]: cli_txtcfg.c(429) 73 %% FAIL CMD: 'slot 1/0 5'
<14> Jan 1 00:01:31 0.0.0.0-1 SSLT[ssltTask]: sslt_util.c(558) 71 %% SSLT: Successfully loaded all required SSL PEM files
<14> Jan 1 00:01:31 0.0.0.0-1 CLI_WEB[emWeb]: sysapi.c(2715) 70 %% Configuration file <startup-config> read from flash!
<14> Jan 1 00:01:31 0.0.0.0-1 CLI_WEB[emWeb]: cli_txtcfg.c(429) 49 %% FAIL CMD: 'slot 1/0 5'
<14> Jan 1 00:01:31 0.0.0.0-1 CLI_WEB[emWeb]: cli_txtcfg.c(518) 48 %% Configuration applied from file <startup-config>
<14> Jan 1 00:01:31 0.0.0.0-1 CLI_WEB[emWeb]: sysapi.c(2715) 47 %% Configuration file <startup-config> read from flash!
<14> Jan 1 00:01:30 0.0.0.0-1 POE[PoE Req]: hpc_poe_brcm.c(10771) 45 %% Poe initialization is done for Unit 1
<14> Jan 1 00:01:30 0.0.0.0-1 POE[PoE Req]: hpc_poe_brcm.c(11140) 42 %% unit: 1 card: 0 mode_pins: 0x2 poe_ports: 8 port_map: 1 hw_ver: 0xe121 sw_ver: 0x14 eeprom: 1 config: 1 sw_ver_ext: 33
<14> Jan 1 00:01:30 0.0.0.0-1 POE[PoE Req]: hpc_poe_brcm.c(11025) 41 %% Opened PoE Card 0 on UART interface file desc:/dev/ttyS1 for unit 1
<13> Jan 1 00:01:30 0.0.0.0-1 OSAPI[Cnfgr_Thread ]: osapi_net.c(2008) 39 %% Error in opening file /proc/sys/net/ipv6/conf/eth0/ipv6_enable When trying to set the ipv6_enable where this variable is not defined in the proc file sysyem.
<14> Jan 1 00:01:26 0.0.0.0-0 General[procLOG]: procmgr.c(808) 22 %% Application Started (traceroute-0, ID = 12, PID = 2484
<13> Jan 1 00:01:26 0.0.0.0-0 General[procLOG]: procmgr.c(2444) 21 %% Administrative Command:app-start traceroute-0
<14> Jan 1 00:01:26 0.0.0.0-0 General[procLOG]: procmgr.c(808) 20 %% Application Started (ping-0, ID = 11, PID = 2472
<13> Jan 1 00:01:26 0.0.0.0-0 General[procLOG]: procmgr.c(2444) 19 %% Administrative Command:app-start ping-0
<14> Jan 1 00:01:25 0.0.0.0-0 General[procLOG]: procmgr.c(808) 18 %% Application Started (vr-agent-0, ID = 10, PID = 2437
<13> Jan 1 00:01:25 0.0.0.0-0 General[procLOG]: procmgr.c(2444) 16 %% Administrative Command:app-start vr-agent-0
<14> Jan 1 00:01:25 0.0.0.0-0 VR_AGENT[Cnfgr_Thread ]: vr_agent_api.c(72) 12 %% initialized the clnt addr:/tmp/fpcvragent.00,family:1
<14> Jan 1 00:01:25 0.0.0.0-1 UNITMGR[Cnfgr_Thread ]: unitmgr_status.c(150) 10 %% Unit Manager status sampling initialization done
<9> Jan 1 00:01:25 0.0.0.0-1 SIM[Cnfgr_Thread ]: sim_util.c(3868) 9 %% Switch was reset due to operator intervention.
<13> Jan 1 00:01:25 0.0.0.0-1 OSAPI[fp_main_task]: osapi_netlink.c(463) 8 %% Error! Failed to add icos entry to /etc/iproute2/rt_protos.
<10> Jan 1 00:01:24 0.0.0.0-1 General[fp_main_task]: bootos.c(238) 7 %% Event(0xaaaaaaaa)
<13> Jan 1 00:01:24 0.0.0.0-1 BSP[fp_main_task]: bootos.c(222) 6 %% BSP initialization complete, starting switch firmware.
<14> Jan 1 00:01:24 0.0.0.0-1 DRIVER[fp_main_task]: broad_hpc_stacking.c(1222) 5 %% Configuring CPUTRANS RX
<14> Jan 1 00:01:24 0.0.0.0-1 DRIVER[fp_main_task]: broad_hpc_stacking.c(1210) 4 %% Configuring CPUTRANS TX
<14> Jan 1 00:01:24 0.0.0.0-1 DRIVER[fp_main_task]: broad_hpc_stacking.c(1179) 3 %% Adding BCM transport pointers
<13> Jan 1 00:01:03 0.0.0.0-1 General[fp_main_task]: sdm_template_mgr.c(488) 2 %% Booting with default SDM template IPv4-routing Default.
<9> Jan 1 00:01:02 0.0.0.0-0 General[fp_main_task]: unitmgr.c(6548) 1 %% Reboot 1 (0x1)

Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
An update from my side, after several discussions with support:

When a switch with HiveAgent is connecting to an NG VA using a public address, the full certificate chain is checked. If the address is private, this is not the case.

The certificate we are using is signed by Godaddy, but the problem is to get not just the signed csr but also the intermediate ca certificate onto NG. Any try of concatenating the certificates were unsuccessful.

We are exploring the following options now:
- use a private connection over VPN, which is ok in this case at least for the beginning
- asking support if they can manually fix the ca certificate chain via root access
- discussing with Aerohive product management to get improvement on the certificate handling interface.
Photo of lowk3y

lowk3y

  • 9 Posts
  • 0 Reply Likes
So this is like Aerohive bug/feature? Because I have the same issue now with one client and I am a bit stucked, because only switch is not getting connected to NG VA.