If the date on an EX Switch is set to a date earlier than the date on which the jloader was built, the jloader upgrade might fail with the "verify-sig: cannot validate ./certs.pem" message. Setting the date to present will fix this problem. This article explains the steps in this process.
Upgrading to Junos OS software release 10.4R3 or later, from an earlier release requires the jloader to be upgraded. This makes sure that the switch uses full functionality of the dual-boot resilient filesystem feature introduced in Junos OS release 10.4R3. Under some conditions, this jloader upgrade might fail with the following errors if the EX Switch "date" is set earlier than the date on which the jloader was built:
verify-sig: cannot validate ./certs.pem
certificate is not yet valid: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper
CA/CN=PackageDevelopment_11_3_0/emailAddress=ca@juniper.net
Following is the full output of the failing upgrade attempt:
root@switch> request system software add jloader-ex-3242-11.3I20110326_0802_hmerge-signed.tgz
tar: +CONTENTS: time stamp Mar 26 14:18 2011 is 24166659 s in the future
tar: +COMMENT: time stamp Mar 26 14:18 2011 is 24166658 s in the future
tar: +DESC: time stamp Mar 26 14:18 2011 is 24166658 s in the future
tar: +INSTALL: time stamp Mar 26 14:18 2011 is 24166658 s in the future
tar: jloader-ex-3242-11.3I20110326_0802_hmerge.tgz: time stamp Mar 26 14:06 2011 is
24165902 s in the future
tar: jloader-ex-3242-11.3I20110326_0802_hmerge.tgz.md5: time stamp Mar 26 14:18 2011 is
24166657 s in the future
tar: jloader-ex-3242-11.3I20110326_0802_hmerge.tgz.sha1: time stamp Mar 26 14:18 2011 is
24166656 s in the future
tar: jloader-ex-3242-11.3I20110326_0802_hmerge.tgz.sig: time stamp Mar 26 14:18 2011 is
24166656 s in the future
tar: certs.pem: time stamp Mar 26 10:02 2011 is 24151315 s in the future
verify-sig: cannot validate ./certs.pem
certificate is not yet valid: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper
CA/CN=PackageDevelopment_11_3_0/emailAddress=ca@juniper.net
The problem is that the date of the switch is set to a date earlier than the date on which the jloader was built, therefore the certificate for the file is not yet valid. The solution is to either synchronize the date on the switch to an NTP server or to manually set the date. To manually set the date to July 7th 2011 5:00PM, use the following command:
root@switch> set date 201107071700.00
Thu Jul 7 17:00:00 UTC 2011
root@switch>
Running the command request system software add <package-name>
will not display any more errors at this point.
2020-10-21: Article reviewed for accuracy; no changes required
2020-11-13: remove EOS product EX3200