How to identify and correct a corrupt certificate revocation list (CRL)

How to identify and correct a corrupt certificate revocation list (CRL)

Article: 100039945
Last Published: 2017-09-15
Ratings: 9 6
Product(s): NetBackup

Problem

This is "Issue 4: A corrupt certificate revocation list (CRL)" as s referenced in the master article for troubleshooting CRL related problems, 100039941.

Default file location:
Windows:    install_path\NetBackup\var\vxss\crl\abcd1234.crl
Unix/Linux:  /usr/openv/var/vxss/crl/abcd1234.crl

 
If the certificate revocation list (CRL) is corrupt or unreadable, backups will fail with several different status codes and behavior, to include the following:

1. Hung backup jobs.  If media server CRL is corrupted and client backups are run which require the storage, the backup jobs will hang waiting for resources.
 
2. Status codes 7640 and 25; if the media server has a corrupt CRL and is backing itself up.

An example job details shows:

Sep 5, 2017 5:32:15 PM - Info nbjm (pid=15375) started backup (backupid=nbmedia2_1504647135) job for client nbmedia2, policy nbmedia2-policy, schedule Full on storage unit nbmedia2-hcart2-robot-tld-1
Sep 5, 2017 5:32:15 PM - Error nbjm (pid=15375) [PROXY] Connecting host: nbmaster2.fqdn.com
Sep 5, 2017 5:32:15 PM - Error nbjm (pid=15375) [PROXY] ConnectionId: {AFB49554-9281-11E7-9B8D-3A39BC30DDE1}:OUTBOUND
Sep 5, 2017 5:32:15 PM - Error nbjm (pid=15375) [PROXY] pid: 1492
Sep 5, 2017 5:32:15 PM - Error nbjm (pid=15375) [PROXY] Received status: 7640 with message SSL connection was shutdown.
Sep 5, 2017 5:32:15 PM - Error nbjm (pid=15375) [PROXY] Encountered error (PROXY_PROTOCOL_READING_JSON_LENGTH) while processing(ProxyProtocol).
cannot connect on socket  (25)

 
3. Status codes 7640, 61, and 23; if the client CRL is corrupt when backups are attempted.

An example job details shows:

Sep 5, 2017 2:03:45 PM - Error bpbrm (pid=4632) [PROXY] Received status: 7640 with message SSL connection was shutdown.
Sep 5, 2017 2:03:45 PM - Error bpbrm (pid=4632) [PROXY] Encountered error (PROXY_PROTOCOL_READING_JSON_LENGTH) while processing(ProxyProtocol).
Sep 5, 2017 2:03:45 PM - Error bpbrm (pid=4632) cannot send mail because BPCD on nbclient1 exited with status 61: the vnetd proxy encountered an error
Sep 5, 2017 2:03:45 PM - Info bpbkar32 (pid=0) done. status: 23: socket read failed
Sep 5, 2017 2:03:45 PM - end writing
socket read failed  (23)
 
In the case the client CRL is corrupt, the bpcd log on the client will show a status 7654:
13:50:23.731 [12560] <16> dump_proxy_info: statusmsg: The revocation status of the peer host certificate cannot be verified using the Certificate Revocation List (CRL), because no CRL is present from the certificate issuer's domain., nbu status = 7654, severity = 2
 
To check the state of the client or media server, execute nbcertcmd -hostselfcheck .  If the CRL is corrupt, it will exit with an error 9301:
nbcertcmd -hostselfcheck
Unable to read CRL for server = nbmaster2, error = 9301.
EXIT STATUS 9301: Failed to decode certificate revocation list.

 

Reminder:  For information about log file verbose or debug levels, see the parent article, 100039941.

 

Solution

To resolve this issue, complete the following on the host (client or media server) reporting the error:

Fetch an updated CRL from the master server:
nbcertcmd -getCRL
 
If successful it will return the following:
nbcertcmd -getCRL
Successfully retrieved certificate revocation list for master server [nbmaster2]

 
Once an updated CRL has been fetched, nbcertcmd -hostselfcheck will be successful:
nbcertcmd -hostselfcheck
The certificate is not revoked.
 

Was this content helpful?