Cisco vEdge Cloud Certificate Installation

Like some of the other articles I’ve written, this serves mostly as a documentation page to myself. The last time I had to manually install a certificate on a vEdge cloud router was six months ago, so it’s something you easily forget. This guide was written for vEdge Cloud 18.3.3.

Installing a vEdge Cloud router

It’s fairly easy to install the vEdge Cloud router. There are images available for VMs in all the major clouds. In my experience, Azure provides an image, but also has a two templates you can run which help with the setup. You can choose a 3-nic VM or a 4-nic VM and running the template assists with setting up the VMs in the right subnets. If you run the standard image, you will end up with a 2-nic variant by default. These templates use outdated versions though, so be aware as you might miss some features that can assist in troubleshooting.

Connecting to the v-manage

As every other vedge that might not automaticallly connect, make sure there is an IP address under the interface tied to VPN 0. Also check for a name-server and an IP route. Under system, make sure the device has an device ID, site id and vbond address.

Setting up the certificate

You need to copy the certificate of the vmange to the vedge and install it there.

Getting the vManage cert

In the v-manage, go to Configuration > Certificates > Controllers. Under the v-manage options, you can view the certificate. Copy this certificate.

Installing the Cert on the vEdge

SSH into the vEdge Cloud router and open the shell:

vEdge# vshell

Paste the certificate of the vmanage into a file. Get into the VI editor, press i to insert and then paste with keyboard shortcuts or your mouse. To get out, press ESC (escape key) and type :wq followed by a carriage return.

vEdge:~$ vi ca.crt
# paste into vi and go out
# then check the contents of the file to make sure it is there
vEdge:~$ cat ca.crt
vEdge:~$ exit

Install the certificate in the vEdge. The location is dependent on the user you used to SSH into the device, so put the right user in between the slashes.

vEdge# request root-cert-chain install home/<username>/ca.crt

Verify the install of the certificate with:

vEdge# show control local-properties

or

vEdge# show certificate root-ca-cert

Root-ca OK, Certificate-status not-installed

What this comes down to, is that the vEdge does not have the list of CA certificates to verify the vbond certificate against. The easiest way to fix this is to copy this list from the vbond. SSH into the vbond.

vbond# vshell
vbond:~$ cat /usr/share/viptela/root-ca.crt

Copy these lines (for me 628) to a file on the vEdge. Make sure that the lines do not have extra spaces at the end of each.

vEdge# vshell
vEdge:~$ vi root-ca.crt
# paste into vi and go out
# then check the contents of the file to make sure it is there
vEdge:~$ cat root-ca.crt
vEdge:~$ exit
vEdge# request certificate install

Now your output should look something like this:

vEdge# show control local-properties
personality                  vedge
sp-organization-name         <org name>
organization-name            <org name>
certificate-status           Installed
root-ca-chain-status         Installed

certificate-validity         Valid
certificate-not-valid-before Jun 02 11:55:56 2020 GMT
certificate-not-valid-after  May 31 11:55:56 2030 GMT

dns-name                     <vbond address>
site-id                      <site id>
domain-id                    1
protocol                     dtls
tls-port                     0
system-ip                    <system ip>
chassis-num/unique-id        <chassis id>
serial-num                   <certificate serial number>
token                        Invalid
keygen-interval              1:00:00:00
retry-interval               0:00:00:17
no-activity-exp-interval     0:00:00:12
dns-cache-ttl                0:00:02:00
port-hopped                  TRUE
time-since-last-port-hop     0:01:31:58
embargo-check                success
number-vbond-peers           0
number-active-wan-interfaces 1

Connect vEdge to vbond

From here on out, it should be an automatic process. However, if it doesn’t, OR if you want to utilize an exising chassis-id located in your vmanage that is not yet in use:

vEdge# request vedge-cloud activate
Value for 'chassis-number' (<Chassis number/uuid of the device>):
Value for 'token' (<Serial number of the device>):

The chassis ID can be found under Configuration > Devices and then selecting the right device. The Token ID can be located under the extra options > Generate Bootstrap Configuration. Select Cloud-Init and locate the Token-ID.

Debugging

It can help to perfom some debugging on why a vEdge does not connect. You can run the following commands on both the vEdge as well as on the vbond.

debug vdaemon misc high
show log tail -f /var/log/tmplog/vdebug

The debug will point you in the right direction in terms of what issue might be the cause of your connecting issues to the vbond, vmanage and vsmart.

To disable debug:

no debug vdaemon misc