SRX

Expand all | Collapse all

Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails: certificate 'device': certificate does not exist .

Jump to Best Answer
  • 1.  Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails: certificate 'device': certificate does not exist .

    Posted 11-01-2019 07:49

    Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails with the following errors:

     

    request system software add /var/tmp/junos-srxsme-18.2R3.4.tgz no-copy unlink

    NOTICE: Validating configuration against junos-srxsme-18.2R3.4.tgz.

    NOTICE: Use the 'no-validate' option to skip this if desired.

    Formatting alternate root (/dev/da0s1a)...

    /dev/da0s1a: 2510.1MB (5140780 sectors) block size 16384, fragment size 2048

            using 14 cylinder groups of 183.62MB, 11752 blks, 23552 inodes.

    super-block backups (for fsck -b #) at:

    32, 376096, 752160, 1128224, 1504288, 1880352, 2256416, 2632480, 3008544,

    3384608, 3760672, 4136736, 4512800, 4888864

    Checking compatibility with configuration

    Initializing...

    Verified manifest signed by PackageProductionEc_2019 method ECDSA256+SHA256

    Using junos-18.2R3.4 from /altroot/cf/packages/install-tmp/junos-18.2R3.4

    Copying package ...

    veriexec: cannot update veriexec for /cf/var/validate/c/junos/var/jailetc/php_mod.ini: No such file or directory

    veriexec: cannot update veriexec for /cf/var/validate/c/junos/var/jailetc/mime.types: No such file or directory

    veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libpsu.so.3: Too many links

    veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libyaml.so.3: Too many links

    veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libext_db.so.3: Too many links

    veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/telemetry/na-mqttd/na-mqtt.conf: No such file or directory

    Verified manifest signed by PackageProductionEc_2019 method ECDSA256+SHA256

    Hardware Database regeneration succeeded

    Validating against /config/juniper.conf.gz

    Network security daemon: <xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">

    Network security daemon: <source-daemon>nsd</source-daemon>

    Network security daemon: <message>certificate 'device': certificate does not exist .</message>

    Network security daemon: </xnm:error>

    mgd: error: configuration check-out failed

    Validation failed

    Validating against /config/rescue.conf.gz

    Network security daemon: <xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">

    Network security daemon: <source-daemon>nsd</source-daemon>

    Network security daemon: <message>certificate 'device': certificate does not exist .</message>

    Network security daemon: </xnm:error>

    mgd: error: configuration check-out failed

    Validation failed

    ERROR: Configuration validation failed with /altroot/cf/packages/install-tmp/junos-18.2R3.4

     

    Any ideas how to make this work?



  • 2.  RE: Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails: certificate 'device': certificate does not exist .
    Best Answer

     
    Posted 11-02-2019 00:47

    Try the following commands:

     

    request system configuration rescue save
    request system software add no-copy no-validate /var/tmp/junos-srxsme-18.2R3.4.tgz

     

    Do not use "unlink" on SRX platform, it is only supported on M, T and MX platforms.



  • 3.  RE: Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails: certificate 'device': certificate does not exist .

    Posted 11-03-2019 01:50

    Thanks! Worked like a charm...



  • 4.  RE: Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails: certificate 'device': certificate does not exist .

    Posted 01-27-2020 21:39

    I am Trying to update SRX550M and getting the following:

    Current OS:

    show version
    Hostname: lan-fw1
    Model: srx550m
    Junos: 15.1X49-D170.4
    JUNOS Software Release [15.1X49-D170.4]

    request system software validate /var/tmp/junos-srxsme-18.2R3-S2.9.tgz
    Checking compatibility with configuration
    Initializing...
    Verified manifest signed by PackageProductionEc_2019 method ECDSA256+SHA256
    Using /var/tmp/junos-srxsme-18.2R3-S2.9.tgz
    Checking junos requirements on /
    Available space: 2222236 require: 365914
    Saving boot file package in /var/sw/pkg/junos-boot-srxsme-18.2R3-S2.9.tgz
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/var/jailetc/php_mod.ini: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/var/jailetc/mime.types: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libpsu.so.3: Too many links
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libyaml.so.3: Too many links
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libext_db.so.3: Too many links
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/telemetry/na-mqttd/na-mqtt.conf: No such file or directory
    Verified manifest signed by PackageProductionEc_2019 method ECDSA256+SHA256
    Hardware Database regeneration succeeded
    Validating against /config/juniper.conf.gz
    mgd: error: Allocating memory for action maps 'no-ssh-rsa' failed
    Abort trap (core dumped)
    Validation failed
    Validating against /config/rescue.conf.gz
    Network security daemon: <xnm:warning xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
    Network security daemon: <source-daemon>nsd</source-daemon>
    Network security daemon: <message>You have changed iso flow mode.
    Network security daemon: You have to reboot the system for your change to take effect.
    Network security daemon: If you have deployed a cluster, be sure to reboot all nodes.</message>
    Network security daemon: </xnm:warning>
    UTM Daemon: <xnm:warning xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
    UTM Daemon: <source-daemon>utmd</source-daemon>
    UTM Daemon: <message>Anti-spam feature needs AS type configuration:
    UTM Daemon: "set security utm default-configuration anti-spam type ..."
    UTM Daemon: </message>
    UTM Daemon: </xnm:warning>
    mgd: commit complete
    Validation succeeded
    ERROR: Configuration validation failed with /var/tmp/junos-srxsme-18.2R3-S2.9.tgz



  • 5.  RE: Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails: certificate 'device': certificate does not exist .

    Posted 01-29-2020 23:29
    Hi,

    Looks like there is some configuration which is missing in the device which is causing the validation to fail.
    UTM Daemon:


  • 6.  RE: Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails: certificate 'device': certificate does not exist .

    Posted 01-30-2020 14:35

    Hello.

     

    The command to set the anti-spam type does not exist prior to JunOS 18. Any advice on how to proceed other than telling the system to not validate the package?

     

    Model: srx345-dual-ac
    Junos: 15.1X49-D160.2
    JUNOS Software Release [15.1X49-D160.2]

     

    user@FW2# set security utm ?
    Possible completions:
    > application-proxy Application proxy settings
    + apply-groups Groups from which to inherit configuration data
    + apply-groups-except Don't inherit configuration data from these groups
    > custom-objects Custom-objects settings
    > feature-profile Feature-profile settings
    > ipc IPC settings
    > traceoptions Trace options for utm
    > utm-policy Configure profile
    [edit]

    However it is present on the following

     

    Model: srx345-dual-ac
    Junos: 18.2R3-S2.9
    JUNOS Software Release [18.2R3-S2.9]

     

    user@FW9# set security utm default-configuration anti-spam type anti-spam-none ?
    Possible completions:
    <[Enter]> Execute this command
    address-blacklist Anti-spam blacklist
    address-whitelist Anti-spam whitelist
    + apply-groups Groups from which to inherit configuration data
    + apply-groups-except Don't inherit configuration data from these groups
    > sbl SBL settings
    > traceoptions Trace options for anti-spam feature

    Thank you



  • 7.  RE: Upgrade SRX345 from 15.1X49-D190.2 to 18.2R3.4 fails: certificate 'device': certificate does not exist .

    Posted 01-31-2020 02:26

    Hi,

     

    Thanks for the response.

     

    I cant see the config you have provided.

    set security utm ?
    Possible completions:
    > application-proxy Application proxy settings
    + apply-groups Groups from which to inherit configuration data
    + apply-groups-except Don't inherit configuration data from these groups
    > custom-objects Custom-objects settings
    > feature-profile Feature-profile settings
    > ipc IPC settings
    > traceoptions Trace options for utm
    > utm-policy Configure profile

     

    this is the current config i have 
    feature-profile {
    anti-virus {
    type sophos-engine;
    }
    anti-spam {
    sbl;
    }
    }
    utm-policy ticl-lan-policy {
    anti-virus {
    http-profile junos-sophos-av-defaults;
    ftp {
    upload-profile junos-sophos-av-defaults;
    download-profile junos-sophos-av-defaults;
    }
    smtp-profile junos-sophos-av-defaults;
    pop3-profile junos-sophos-av-defaults;
    imap-profile junos-sophos-av-defaults;
    }
    anti-spam {
    smtp-profile junos-as-defaults;
    }
    }