Field Notice: FN - 70594 - New APIC L3 or M3 Server Might Have Certificate Issue - Workaround Provided

Available Languages

Updated:August 27, 2020

Document ID:FN70594

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	20-Aug-20	Initial Release
1.11	25-Aug-20	Added the Serial Number Validation Section
1.2	25-Aug-20	Updated the How to Identify Affected Products Section

Products Affected

Affected Product ID	Comments
APIC-SERVER-M3
APIC-SERVER-L3
APIC-SERVER-M3=	Part Alternate
APIC-SERVER-L3=	Part Alternate

Defect Information

Defect ID	Headline
CSCvu62127	F3031 - Node Certificate is invalid: Failed to parse the subject line on new APIC-SERVER-L3 and M3

Problem Description

A newly received Application Policy Infrastructure Controller (APIC) L3 or M3 server can be received with a certificate in which the subject is in an unexpected order.

Background

An X.509 library function was changed in the mid-April timeframe which resulted in certificates generated with an unexpected subject format. The APIC is unable to extract validity information from the certificate due to this unexpected subject format.

Problem Symptom

A new APIC L3 or M3 server will not be able to complete fabric discovery. Link Layer Discovery Protocol (LLDP), the acidiag verifyapic command, and other general checks will not exhibit a problem.

The appliancedirector logs of an affected Cisco APIC should be checked for messages that indicate that the rejection happens due to being unable to parse the certificate subject.

APIC# less /var/log/dme/log/svc_ifc_appliancedirector.bin.log

|crypto||ERROR||co=ifm||Failed to parse subject from peer SSL certificate (/CN=ASD1234567/serialNumber=PID:APIC-SERVER-L3 SN:ASD1234567)||../common/src/ifm/./PeerVerificationUtils.cc||287

|crypto||ERROR||co=ifm||Peer Certificate Subject is not in the expected format - REJECTING IFM SSL PEER CONNECTION||../common/src/ifm/./PeerVerificationUtils.cc||526

Workaround/Solution

Contact the Technical Assistance Center (TAC) in order to generate and reprogram the APIC certificates.

How To Identify Affected Products

Products manufactured before 2020-07-23 will have some impact. Customers can use the product serial number to identify impacted servers.

The serial number for the server is printed on a label located on the top, front of the server. See the Serial Number Validation section in this field notice for more information.

Serial Number Validation

This field notice provides the ability to determine if the serial number(s) of a device is impacted by this issue. In order to verify your serial number(s), enter it in the Serial Number Validation Tool.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.