Troubleshooting TLS Issues in OcNOS
When TLS is enabled for streaming telemetry in OcNOS, various certificate-related errors may occur. The following are common issues and their resolutions:
| 1. | %% TLS is enabled but certificates are not present. Please generate key and certificates to enable tls for streaming-telemetry
|
Resolution: Follow all the steps from Certificate Management for OcNOS and gNMI to generate and copy certificates to OcNOS.
| 2. | %% TLS is enabled but client certificates are not present. Please upload client key and certificates to "/cfg/usr/local/etc/tls/client"
|
Resolution: When TLS is enabled before configuring the dial-out configurations, copy the client certificates ca.pem, ClientCert.pem, and client.pem to /cfg/usr/local/etc/tls/client on OcNOS.
| 3. | Failed to load TLS credentials: tls: private key does not match public key
|
Resolution: This means the /cfg/usr/local/etc/tls/certs/cert_gnmid.pem file is not matching with /cfg/usr/local/etc/tls/keys/key.pem. Generate the server certificate again by copying the output of the show crypto csr command into the ServerCert.csr file. Restart the gnmid to load the new certificates.
| 4. | authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority
|
Resolution: The CA certificate on the server (OcNOS) is not matching with the CA certificate on the client side. Use the same CA certificate to generate the server and client certificates.
| 5. | authentication handshake failed: tls: failed to verify certificate: x509: certificate is valid for OcNOS, not Admin
|
Resolution: --tls-server-name in the gnmic command should be the same as the subjectAltName defined in the san.ext file.
| 6. | authentication handshake failed: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match Admin
|
Resolution: The error means san.ext is not used (subjectAltName is not defined) while generating the server certificate ServerCert.pem. Define a SAN and use it while generating the server certificate, and use the same SAN for the flag --tls-server-name in gnmic.