NOTE: The only thing that resolved this issue, after the below steps were followed, was to replace the entire appliance by a RMA. I have documented what other steps we followed here in an effort to show more detail of what steps can be tried, but, in our case, failed.
This particular problem was caused by the Directors orignal "birth Certificate" being corrupted, which was causing the certificate we downloaded from abrca.bluecoat.com to fail *verification*. During manufacturing the key pair is generated and private key is stored in the eeprom and public key is stored in the ABRCA server with serial number. When a certificate fails to verify, it's because of corupt data stored in the eeprom.
At one point ,in our diagnosis below, we replaced the drive, but not the whole appliance. Replacing the drive will not make any difference since the units birth certificate is stored in the box's EEPROM.
1: After following the instructions on the above article, I see this output on my command line interface (CLI) screen.
Below is the error seen:
director (config) # ssl request-appliance-certificate
Certificate verification failed
director (config) #
With this symptom, we will also noticed notice these messages in the logs.
Jun 25 12:56:21 director cli: <-cli.notice> admin@::ffff:172.31.34.155: Processing command: 1277488581882555:ssl request-appliance-certificate
Jun 25 12:56:22 director configd: <configd.notice> Certificate retrieved OK
Jun 25 12:56:27 director configd: <configd.crit> Unable to verify cert. Failed to exec curl
Jun 25 12:56:27 director configd: <configd.crit> get_cert_auto(), cdm_ssl.c:513, build 000000: Error 1 returned, bailing out.
2: Going to http://abrca.bluecoat.com/sign-manual/ and manualy creating the KEY produces the same results.
3: Replacing the Disk drive, via the RMA process, also produces the same result.
4: Bluecoat Customer care was asked to validate the customers serial number, and it all checked out, except the customer name. Once this was fixed, the symptom remained, though.
5: Both Domain Name System ( DNS) has to be configured, as well the the time has to be set correctly. SSL Certificates are time/date dependant, and will fail if not set correctly.
NOTE1: The only relation between a SG cert. and a Director cert. is that they are both signed by our CA named "ABRCA", at abrca.bluecoat.com
NOTE2: 'curl' is a utility that Director uses to pull files, and this case, the certificate, from the
SG via the network.
NOTE3: For information on how to update your SSL appliance certificate, see 000011223
NOTE4: A technical buliten has also been published on this. TFA49