Reset Search
 

 

Article

Extreme Management Center Subscription Licensing "Usage Data Collection Failed To Send ... The certificate is not trusted"

« Go Back

Information

 
TitleExtreme Management Center Subscription Licensing "Usage Data Collection Failed To Send ... The certificate is not trusted"
Symptoms
  • Daily Usage Data Collection callbacks from Extreme Management Center fail.
  • Repetitive failures of callbacks to Extreme may result in premature subscription license expiration.
  • Subscription licensing was working but has suddenly and persistently stopped working.
  • The console.log indicates the following exception:
72764 1.56756E+12 Usage Data Collection.2.Event XMCServer XMC.local --- Usage Data Collection Failed To Send java.security.cert.CertificateException: The certificate is not trusted Cause:com.ctc.wstx.exc.WstxIOException: java.security.cert.CertificateException: The certificate is not trusted
Environment
  • Extreme Management Center (XMC, formerly NetSight)
  • Extreme Wireless Controller (EWC)
  • Subscription Licensing (27001)
  • IdentiFi
Cause
Communication between Extreme Management Center and the services.enterasys.com:443 portal is being intercepted or blocked.
Resolution
Identify any third-party firewall or ACL rules that are blocking communication between Extreme Management Center and services.enterasys.com on TCP port 443 (HTTPS).
Additional notes
Use command line tools WGET, CURL or OPENSSL to test connectivity from XMC to services.enterasys.com:443 as exampled below:
root@xmc:/etc$ openssl s_client -host services.enterasys.com -port 443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = North Carolina, L = Morrisville, O = "Extreme Networks, Inc.", OU = IT Operations, CN = services.enterasys.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=North Carolina/L=Morrisville/O=Extreme Networks, Inc./OU=IT Operations/CN=services.enterasys.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
 2 s:/C=US/ST=North Carolina/L=Morrisville/O=Extreme Networks, Inc./OU=IT Operations/CN=services.enterasys.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
 3 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHBDCCBeygAwIBAgIQDBPIc9zBr3N9boDXnNzlgzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xODExMjAwMDAwMDBaFw0yMDExMjQxMjAwMDBa
MIGWMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExFDASBgNV
BAcTC01vcnJpc3ZpbGxlMR8wHQYDVQQKExZFeHRyZW1lIE5ldHdvcmtzLCBJbmMu
MRYwFAYDVQQLEw1JVCBPcGVyYXRpb25zMR8wHQYDVQQDExZzZXJ2aWNlcy5lbnRl
cmFzeXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopTDHl5L
0W3jY2AFhNJY77CLKIOMEhkh0I+IAft14BlD07HHNDaP6aGdKPZ/tsEGhWL1ZXNf
YNf05ani2SaMj5XLAQt4SNQUC8KjvvegFw8BqfuEzNMxvknXLPlHSXBA/L8p7XAc
+IBeHVT0UNLTIHa+tFxNrz30mOXbyh7PKiwMND4ILcpi6ERV7TRNLYqJhHOuP5Wo
WaeMun1h6utb9ftUzd00uWXo2QugIKg/WE5IqKSFdlVQ6a4AupZFahUxa54Vx/up
0HSVSa+AavecPuKZYL6R8OMg24VuOQ3vuiH+cnN7TUDhrlTeAYIVtL5ASkQgdOw2
TYHEDhMTCVSEpQIDAQABo4IDcTCCA20wHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNll
ZGKiErhZcjswHQYDVR0OBBYEFBM1xgU6as9tDCROGlhquDd2YAlfMCEGA1UdEQQa
MBiCFnNlcnZpY2VzLmVudGVyYXN5cy5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5odHRw
Oi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzYuY3JsMDSgMqAw
hi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzYuY3Js
MEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcBAQR3MHUw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcw
AoZBaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhpZ2hB
c3N1cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX4GCisGAQQB1nkC
BAIEggFuBIIBagFoAHcApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAA
AAFnMuNF3AAABAMASDBGAiEAohQbn9uilFkGM1BlGOQwxiPwHxbb6SqmxbFqg68r
+SECIQDZ4RpUK/qMRuPd0GuNZwhwBF86LQfmSvZIEUj6ukUTqAB1AId1v+dZfPiM
Q5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABZzLjRn4AAAQDAEYwRAIgJC1FvDa1
YwjU6m+cucgE0V5gldC7TanzPPC1w4DNGKECIEY9rNaNvEISbyUll2exG2FCN/Gk
jwOYkzJIGyyQJjqDAHYAu9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUA
AAFnMuNF+QAABAMARzBFAiAEn7Bqr/GaTfHbGUXUd8YKDI1fMwfSV7y2nTKut94u
CAIhAPxCvoA09htEnKLLIRwBcaXCx/OPqTwQ+LUCabdez3yGMA0GCSqGSIb3DQEB
CwUAA4IBAQCUwGzFihIugNq+IOSwvoglGB4FEMkrT7aYRaQQd7bo2LGb2PfotvHK
xzbqtGBAVtNWmamauvGcr8g7zMZGfPyzZ7GVSeC0Cv8YPg7HIQLiFNFgtHWOpHaM
TV/V2K1cv7nuXbHt9a7m//5CB0WTXLK7uwUeeZUU4we7ON1WTwgeBp6VPI9wBj0G
/knBFm3f+BP+b0pPtxrusjxIjq0sKuQMY9ptOBwtE5HDbj10P0VtW8gfPdOEpXkd
1dFkt4EfgNsoG0c+EYV1N1+RMxx0CtgHs5T9kdzts3GoVpeH2Jyg7F1Wgx9MC2B9
rYwrLemlqTYSX4eNDMlWmlFrpZrXRvZq
-----END CERTIFICATE-----
subject=/C=US/ST=North Carolina/L=Morrisville/O=Extreme Networks, Inc./OU=IT Operations/CN=services.enterasys.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6494 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 22CAD6499EE93091BA3728E5D628BD23082470479BCD77CE1DA3E2364345B2C8D8087031AEC5C75688315BF4D72053F2
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1576593455
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


root@xmc:/etc$ wget --debug https://services.enterasys.com
DEBUG output created by Wget 1.17.1 on linux-gnu.

Reading HSTS entries from /root/.wget-hsts
URI encoding = ‘UTF-8’
--2019-12-17 09:40:13--  https://services.enterasys.com/
Resolving services.enterasys.com (services.enterasys.com)... 134.141.4.61
Caching services.enterasys.com => 134.141.4.61
Connecting to services.enterasys.com (services.enterasys.com)|134.141.4.61|:443... connected.
Created socket 3.
Releasing 0x0000562ee77d60f0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x0000562ee77d6350
certificate:
  subject: CN=services.enterasys.com,OU=IT Operations,O=Extreme Networks\\, Inc.,L=Morrisville,ST=North Carolina,C=US
  issuer:  CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
X509 certificate successfully verified and matches host services.enterasys.com


root@xmc:/etc$ curl -v https://services.enterasys.com
* Rebuilt URL to: https://services.enterasys.com/
*   Trying 134.141.4.61...
* Connected to services.enterasys.com (134.141.4.61) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 592 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*        server certificate verification OK
*        server certificate status verification SKIPPED
*        common name: services.enterasys.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: C=US,ST=North Carolina,L=Morrisville,O=Extreme Networks\, Inc.,OU=IT Operations,CN=services.enterasys.com
*        start date: Tue, 20 Nov 2018 00:00:00 GMT
*        expire date: Tue, 24 Nov 2020 12:00:00 GMT
*        issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
*        compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: services.enterasys.com
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Server: Microsoft-IIS/8.5
< X-Powered-By: ASP.NET
< Date: Tue, 17 Dec 2019 14:34:46 GMT
< Content-Length: 0
< 
* Connection #0 to host services.enterasys.com left intact

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255