Awesome news! I'm pretty sure we've all done the face plant from time to time :-).
Jason On Mon, Sep 24, 2012 at 10:46 PM, Matt Hill <[email protected]> wrote: > Great! That was it! > > How I fixed it was with this command: > > "lifetime certificate 300" in the CA config section. > > I reenrolled the two client routers (R5 & R6) and noted their > certificates were ok: > > R6#show crypto ca certificate IOS_CA > Certificate > Status: Available > Certificate Serial Number: 0x7 > Certificate Usage: General Purpose > Issuer: > cn=IOS_CA > Subject: > Name: R6 > Serial Number: FHK0953F17K > hostname=R6+serialNumber=FHK0953F17K > cn=R6.cisco.com > ou=CCIE > c=PL > CRL Distribution Points: > http://8.9.50.2/cgi-bin/pkiclient.exe?operation=GetCRL > Validity Date: > start date: 14:38:50 EUST Sep 25 2012 > end date: 14:38:50 EUST Jul 22 2013 > Associated Trustpoints: IOS_CA > > Tried to ping between the two vlans and the VPN came up and everything > was all good. This was after I facepalmed myself with the 2015 date > :) That was a real case of OYFE for me there. > > Once again, thanks everyone for their assistance. > > Cheers > > On 25 September 2012 14:14, Jason Madsen <[email protected]> wrote: > > The line your referring to is your CA certificate timer, which can be > set as > > follows: > > > > (within pki server config mode) > > lifetime ca-certificate xxx > > > > Not sure I recommend changing values like this once the server has > already > > been setup and cert's have been issued though. That could cause you more > > grief. > > > > The expiration date you mentioned below was yesterday as you pointed out, > > but it's for 2015. The ca-cert has a lifetime of 3 years by default. > > > > Jason > > > > > > > > On Mon, Sep 24, 2012 at 7:37 PM, Matt Hill <[email protected]> wrote: > >> > >> HI Everyone, > >> > >> Thanks for your input. I tried the "lifetime crl time" but that does > >> not look like it fixes it. Here is my CA config and show output: > >> > >> R2#show crypto pki server > >> Certificate Server IOS_CA: > >> Status: enabled > >> State: enabled > >> Server's configuration is locked (enter "shut" to unlock it) > >> Issuer name: CN=IOS_CA > >> CA cert fingerprint: 27B1F4FA 9FA2623B 2486DB53 472CC3C3 > >> Granting mode is: auto > >> Last certificate issued serial number: 0x6 > >> CA certificate expiration timer: 05:03:42 EUST Sep 24 2015 > >> <----------- uncool!!! > >> CRL NextUpdate timer: 12:19:06 EUST Oct 7 2012 > >> Current primary storage dir: nvram: > >> Database Level: Minimum - no cert data written to storage > >> Auto-Rollover configured, overlap period 30 days > >> Autorollover timer: 05:03:42 EUST Aug 25 2015 > >> R2#show run | s crypto pki > >> crypto pki server IOS_CA > >> database archive pem password 7 070C285F4D06485744 > >> grant auto > >> lifetime crl 300 > >> cdp-url http://8.9.50.2/cgi-bin/pkiclient.exe?operation=GetCRL > >> auto-rollover > >> crypto pki trustpoint IOS_CA > >> revocation-check crl > >> rsakeypair IOS_CA > >> crypto pki certificate chain IOS_CA > >> certificate ca 01 > >> 308201FB 30820164 A0030201 02020101 300D0609 2A864886 F70D0101 > 04050030 > >> XXXXXX > >> 268C07A3 A77CAB95 3E19268B 8E8C1D45 3044964C 05952A39 20E8288D C2ABC4 > >> quit > >> R2#show clock > >> 11:32:52.370 EUST Tue Sep 25 2012 > >> > >> ------------- > >> > >> The certificate expiration timer appears to be the problem here. As > >> you can see the time expired was yesterday. I cant for the life of me > >> find how to change this. It would be a one liner in there somewhere > >> I'm sure? > >> > >> Cheers, > >> Matt > >> > >> CCIE #22386 > >> CCSI #31207 > >> > >> > >> On 24 September 2012 19:43, Kingsley Charles < > [email protected]> > >> wrote: > >> > You need worry about timezones. Validity check is done based on UTC. > >> > > >> > The validity period can't be changed rather change your clock. > >> > > >> > With regards > >> > Kings > >> > CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) > >> > > >> > On Mon, Sep 24, 2012 at 10:13 AM, Matt Hill <[email protected]> > wrote: > >> >> > >> >> Hi There, > >> >> > >> >> I am doing something wrong here, saying my certificate is invalid, > but > >> >> Im not sure why... > >> >> > >> >> > >> >> Sep 24 13:36:03.912: %CRYPTO-4-IKMP_NO_SA: IKE message from 8.9.50.6 > >> >> has no SA and is not an initialization offer > >> >> Sep 24 13:36:04.492: CRYPTO_PKI: New CRL Not Valid - expired (router > >> >> time not synched to CA?) > >> >> Sep 24 13:36:04.492: CRL expires: 11:03:44 EUST Sep 24 2012 > >> >> Sep 24 13:36:04.492: Router time: 14:36:04 EUST Sep 24 2012 > >> >> Sep 24 13:36:04.492: %PKI-4-CRLINSERTFAIL: Trustpoint "IOS_CA" > unknown > >> >> (error 1804:E_VALIDITY : validity period start later than end) <--- > >> >> this line catched my attention > >> >> Sep 24 13:36:04.496: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received > >> >> from 8.9.50.6 is bad: certificate invalid. > >> >> Sep 24 13:36:04.496: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main > >> >> mode failed with peer at 8.9.50.6.... > >> >> > >> >> > >> >> > >> >> R5#show crypto pki certificates > >> >> Certificate > >> >> Status: Available > >> >> Certificate Serial Number: 0x4 > >> >> Certificate Usage: General Purpose > >> >> Issuer: > >> >> cn=IOS_CA > >> >> Subject: > >> >> Name: R5 > >> >> Serial Number: FHK0953F18R > >> >> hostname=R5+serialNumber=FHK0953F18R > >> >> cn=R5.cisco.com > >> >> ou=CCIE > >> >> c=PL > >> >> CRL Distribution Points: > >> >> http://8.9.50.2/cgi-bin/pkiclient.exe?operation=GetCRL > >> >> Validity Date: > >> >> start date: 13:52:19 EUST Sep 24 2012 > >> >> end date: 13:52:19 EUST Sep 24 2013 > >> >> Associated Trustpoints: IOS_CA > >> >> Storage: nvram:IOS_CA#4.cer > >> >> > >> >> CA Certificate > >> >> Status: Available > >> >> Certificate Serial Number: 0x1 > >> >> Certificate Usage: Signature > >> >> Issuer: > >> >> cn=IOS_CA > >> >> Subject: > >> >> cn=IOS_CA > >> >> Validity Date: > >> >> start date: 05:03:42 EUST Sep 24 2012 > >> >> end date: 05:03:42 EUST Sep 24 2015 > >> >> Associated Trustpoints: IOS_CA > >> >> Storage: nvram:IOS_CA#1CA.cer > >> >> > >> >> > >> >> R5#show clock > >> >> 14:35:42.983 EUST Mon Sep 24 2012 > >> >> > >> >> and on my CA: > >> >> > >> >> R2#show clock > >> >> 14:36:24.099 EUST Mon Sep 24 2012 > >> >> > >> >> So we can see the validity period is outside what the current time > is, > >> >> also the validity period is rather short (ie <1 second). I got this > >> >> to work previously, however I cant easily find anywhere where I can > >> >> change the validity period. > >> >> > >> >> Also, EUST is something I made up. The lab did not tell me what I > >> >> should call it. Funnily enough, when I used "MATTST" it was working > >> >> fine. I dont think the timezone name should make any difference > >> >> whatsoever. > >> >> > >> >> Cheers, > >> >> Matt > >> >> > >> >> CCIE #22386 > >> >> CCSI #31207 > >> >> _______________________________________________ > >> >> For more information regarding industry leading CCIE Lab training, > >> >> please > >> >> visit www.ipexpert.com > >> >> > >> >> Are you a CCNP or CCIE and looking for a job? Check out > >> >> www.PlatinumPlacement.com > >> > > >> > > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, > please > >> visit www.ipexpert.com > >> > >> Are you a CCNP or CCIE and looking for a job? Check out > >> www.PlatinumPlacement.com > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
