Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[CSO] PHC error 'jdm phone-home: phcd_contact_phs: curl_easy_perform() failed: SSL peer certificate or SSH remote key was not OK'

0

0
Article ID: KB36179 KB Last Updated: 22 Aug 2020Version: 1.0 Summary:

This article describes a failure observed when NFX250 tries to communicate with phone home server. 

Symptoms:

While performing ZTP of a NFX250 site through CSO, PHC (phone home client) failed with the following message:

jdm phone-home: phcd_contact_phs: curl_easy_perform() failed: SSL peer certificate or SSH remote key was not OK

The configuration below was in place for PHC to work:

set system phone-home server https://centralmsvm.cso.juniper.net
set system phone-home ca-certification-file /var/phone-home/phcd-ca.crt
set system phone-home upgrade-image-before-configuration

Ping to the centralmsvm hostname was working:

<snip>
jdm:/var/log# ping centralmsvm.cso.juniper.net
PING centralmsvm.cso.juniper.net (10.219.90.117) 56(84) bytes of data.
64 bytes from centralmsvm.cso.juniper.net (10.219.90.117): icmp_seq=1 ttl=64 time=0.265 ms
64 bytes from centralmsvm.cso.juniper.net (10.219.90.117): icmp_seq=2 ttl=64 time=0.227 ms
64 bytes from centralmsvm.cso.juniper.net (10.219.90.117): icmp_seq=3 ttl=64 time=0.273 ms
64 bytes from centralmsvm.cso.juniper.net (10.219.90.117): icmp_seq=4 ttl=64 time=0.262 ms
64 bytes from centralmsvm.cso.juniper.net (10.219.90.117): icmp_seq=5 ttl=64 time=0.272 ms
As it was throwing a certificate error, md5 was matched with the certificate in NFX as well as in msvm and it was matching:
root@centralmsvm:/etc/pki/tls/certs# ls -ltr ssl_cert.crt
-rw-r--r-- 1 root root 1338 Oct 31  2019 ssl_cert.crt
root@centralmsvm:/etc/pki/tls/certs#

jdm:/var/phone-home# ls -ltr 
-rwxrwxrwx 1 root root 1338 Jul 21 00:17 phcd-ca.crt
Solution:

Tried to perform a 'wget' with the centralmsvm hostname configuered in the PHC configuraiton of NFX JDM 'centralmsvm.cso.juniper.net'

It was giving the name below:

<Snip>
jdm:/var/log# wget https://centralmsvm.cso.juniper.net/
Resolving centralmsvm.cso.juniper.net (centralmsvm.cso.juniper.net)... 10.219.90.117
Connecting to centralmsvm.cso.juniper.net (centralmsvm.cso.juniper.net)|10.219.90.117|:443... connected.
ERROR: cannot verify centralmsvm.cso.juniper.net's certificate, issued by '/C=US/ST=CA/O=Juniper Networks/L=Sunnyvale/CN=centralmsvm.juniper.net/OU=CSP/emailAddress=test@email.net':
  Self-signed certificate encountered.
    ERROR: certificate common name 'centralmsvm.juniper.net' doesn't match requested host name 'centralmsvm.cso.juniper.net'..

From the error message above, it shows the issue is due to a mismatch of hostname in the PHC configuration with the actual hostname configured in msvm server.

The configuration for PHC in NFX JDM  was corrected by changing the hostname to 'centralmsvm.juniper.net' and the issue was resolved .

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search