Certificate Troubleshooting

Issue Resolution
My device is registered but the certificates do not appear on the SLX device. Try the following:
  • Ensure that the device is running at least SLX-OS 20.1.x.
  • Ensure that the time on the SLX device and the time on the EFA host device are synchronized.
  • Ensure that the certificates are installed. Run the efa certificate device install command.
How do I know about the certificate expiry in EFA?
  • Run the following REST API to get the expiry date of all the certificates of EFA:
    curl -X GET 'https://<vip>:8078/v1/monitor/certificate/expiry' --header 'Authorization:Bearer eyJhbGciOiJSUzI… ‘.
  • Run the following openssl command:
    extreme@tpvm:~$ openssl x509 -in <Location of the certificate> -noout -enddate
How do I verify the certificate provided by EFA through its ingress interface? Run the following command. The output should indicate that efa.extremenetworks.com is present.
$ openssl
        s_client -connect <EFA_IP_ADDR>:443
There is a security violation on the switch when EFA (installed on TPVM) logs in and tries to access the switch with different usernames. You observe the following logs on SLX console:

1018 AUDIT, 2021/10/14-17:26:57 (GMT), [SEC-3021], INFO, SECURITY, extreme/root/10.20.32.141/ssh/CLI,, SLX, Event: login, Status: failed, Info: Failed login attempt through REMOTE, IP Addr: 10.20.32.141

1017 AUDIT, 2021/10/14-17:26:55 (GMT), [SEC-3020], INFO, SECURITY, admin/admin/10.20.32.141/ssh/CLI,, SLX8720-32C, Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: 10.20.32.141

1002 AUDIT, 2021/10/14-17:26:41 (GMT), [SEC-3020], INFO, SECURITY, admin/admin/10.20.32.141/ssh/CLI,, SLX8720-32C, Event: login, Status: success, Info: Successful login attempt via NETCONF, IP Addr: 10.20.32.141

Try the following:
  • Ensure that you have correctly followed the system restore process.
  • Ensure that all the devices are registered.
  • Ensure that the certificates are installed on the devices to enable secure connections. Run the efa certificate device install --ips <ip-adddr> certType [ http|token] command to install the HTTPS or OAuth2 certificate on one or more devices..