This article describes a failure observed when NFX250 tries to communicate with phone home server.
While performing ZTP of a NFX250 site through CSO, PHC (phone home client) failed with the following message:
jdm phone-home: phcd_contact_phs: curl_easy_perform() failed: SSL peer certificate or SSH remote key was not OK
The configuration below was in place for PHC to work:
set system phone-home server https://centralmsvm.cso.juniper.net
set system phone-home ca-certification-file /var/phone-home/phcd-ca.crt
set system phone-home upgrade-image-before-configuration
Ping to the centralmsvm hostname was working:
<snip>
jdm:/var/log# ping centralmsvm.cso.juniper.net
PING centralmsvm.cso.juniper.net (10.219.90.117) 56(84) bytes of data.
64 bytes from centralmsvm.cso.juniper.net (10.219.90.117): icmp_seq=1 ttl=64 time=0.265 ms
64 bytes from centralmsvm.cso.juniper.net (10.219.90.117): icmp_seq=2 ttl=64 time=0.227 ms
64 bytes from centralmsvm.cso.juniper.net (10.219.90.117): icmp_seq=3 ttl=64 time=0.273 ms
64 bytes from centralmsvm.cso.juniper.net (10.219.90.117): icmp_seq=4 ttl=64 time=0.262 ms
64 bytes from centralmsvm.cso.juniper.net (10.219.90.117): icmp_seq=5 ttl=64 time=0.272 ms
As it was throwing a certificate error, md5 was matched with the certificate in NFX as well as in msvm and it was matching:
root@centralmsvm:/etc/pki/tls/certs# ls -ltr ssl_cert.crt
-rw-r--r-- 1 root root 1338 Oct 31 2019 ssl_cert.crt
root@centralmsvm:/etc/pki/tls/certs#
jdm:/var/phone-home# ls -ltr
-rwxrwxrwx 1 root root 1338 Jul 21 00:17 phcd-ca.crt
Tried to perform a 'wget' with the centralmsvm hostname configuered in the PHC configuraiton of NFX JDM 'centralmsvm.cso.juniper.net'
It was giving the name below:
<Snip>
jdm:/var/log# wget https://centralmsvm.cso.juniper.net/
Resolving centralmsvm.cso.juniper.net (centralmsvm.cso.juniper.net)... 10.219.90.117
Connecting to centralmsvm.cso.juniper.net (centralmsvm.cso.juniper.net)|10.219.90.117|:443... connected.
ERROR: cannot verify centralmsvm.cso.juniper.net's certificate, issued by '/C=US/ST=CA/O=Juniper Networks/L=Sunnyvale/CN=centralmsvm.juniper.net/OU=CSP/emailAddress=test@email.net':
Self-signed certificate encountered.
ERROR: certificate common name 'centralmsvm.juniper.net' doesn't match requested host name 'centralmsvm.cso.juniper.net'..
From the error message above, it shows the issue is due to a mismatch of hostname in the PHC configuration with the actual hostname configured in msvm server.
The configuration for PHC in NFX JDM was corrected by changing the hostname to 'centralmsvm.juniper.net' and the issue was resolved .