Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] EX Switch jloader fails during installation with error "verify-sig: cannot validate ./certs.pem"

0

0
Article ID: KB21424 KB Last Updated: 13 Nov 2020Version: 3.0 Summary:

If the date on an EX Switch is set to a date earlier than the date on which the jloader was built, the jloader upgrade might fail with the "verify-sig: cannot validate ./certs.pem" message. Setting the date to present will fix this problem. This article explains the steps in this process.

 

Symptoms:

Upgrading to Junos OS software release 10.4R3 or later, from an earlier release requires the jloader to be upgraded. This makes sure that the switch uses full functionality of the dual-boot resilient filesystem feature introduced in Junos OS release 10.4R3. Under some conditions, this jloader upgrade might fail with the following errors if the EX Switch "date" is set earlier than the date on which the jloader was built:

verify-sig: cannot validate ./certs.pem
certificate is not yet valid: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper
CA/CN=PackageDevelopment_11_3_0/emailAddress=ca@juniper.net

Following is the full output of the failing upgrade attempt:

root@switch> request system software add jloader-ex-3242-11.3I20110326_0802_hmerge-signed.tgz

tar: +CONTENTS: time stamp Mar 26 14:18 2011 is 24166659 s in the future
tar: +COMMENT: time stamp Mar 26 14:18 2011 is 24166658 s in the future
tar: +DESC: time stamp Mar 26 14:18 2011 is 24166658 s in the future
tar: +INSTALL: time stamp Mar 26 14:18 2011 is 24166658 s in the future
tar: jloader-ex-3242-11.3I20110326_0802_hmerge.tgz: time stamp Mar 26 14:06 2011 is
24165902 s in the future
tar: jloader-ex-3242-11.3I20110326_0802_hmerge.tgz.md5: time stamp Mar 26 14:18 2011 is
24166657 s in the future
tar: jloader-ex-3242-11.3I20110326_0802_hmerge.tgz.sha1: time stamp Mar 26 14:18 2011 is
24166656 s in the future
tar: jloader-ex-3242-11.3I20110326_0802_hmerge.tgz.sig: time stamp Mar 26 14:18 2011 is
24166656 s in the future
tar: certs.pem: time stamp Mar 26 10:02 2011 is 24151315 s in the future
verify-sig: cannot validate ./certs.pem
certificate is not yet valid: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper
CA/CN=PackageDevelopment_11_3_0/emailAddress=ca@juniper.net

 

Solution:

The problem is that the date of the switch is set to a date earlier than the date on which the jloader was built, therefore the certificate for the file is not yet valid. The solution is to either synchronize the date on the switch to an NTP server or to manually set the date. To manually set the date to July 7th 2011 5:00PM, use the following command:

root@switch> set date 201107071700.00
Thu Jul 7 17:00:00 UTC 2011
root@switch>

Running the command request system software add <package-name> will not display any more errors at this point.

 

Modification History:

2020-10-21: Article reviewed for accuracy; no changes required

2020-11-13: remove EOS product EX3200

 

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search