Cisco Cloud Services Router (CSR) 1000v RESTCONF won’t respond on HTTPS

What if you’re trying to use RESTCONF on a Cisco CSR 1000v and when you try to CURL you get an error like the ones below? Trying to load the URL in your browser doesn’t load either.

curl: (35) error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure

OR

curl: (35) error:14008438:SSL routines:CONNECT_CR_KEY_EXCH:tlsv1 alert internal error

After troubleshooting with Cisco TAC it became evident that the self-signed certificate for the web server that runs RESTCONF was missing. Usually when you run ip http secure-server you should get a message below that a new certificate is being generated.

CRYPTO_PKI: setting trustpoint policy TP-self-signed-4113956215 to use keypair TP-self-signed-4113956215% Generating 2048 bit RSA keys, keys will be non-exportable…
[OK] (elapsed time was 9 seconds)

You can verify if you have the certificate as well by running sh run | b crypto pki certificate chain TP-self-signed-4113956215. You should see something like this in your output:

crypto pki certificate chain TP-self-signed-4113956215
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313133 39353632 3135301E 170D3139 30333131 32313135
<snip>

If you don’t have that certificate generated, that is your problem.

Run the following commands to disable restconf and the webserver. Then we will run similar commands again to enable. The certificate should always get auto-generated when you enable the web server. If it doesn’t try again. If it does generate but the web server still isn’t responding try manually applying the certificate: ip http secure-trustpoint TP-self-signed-4113956215

CSR(config)#no restconf
CSR(config)#no ip http secure-server
CSR(config)#no ip http secure-trustpoint TP-self-signed-4113956215

CSR(config)#restconf
CSR(config)#ip http secure-server
CRYPTO_PKI: setting trustpoint policy TP-self-signed-4113956215 to use keypair TP-self-signed-4113956215% Generating 2048 bit RSA keys, keys will be non-exportable…
[OK] (elapsed time was 9 seconds)

Your CURL should succeed now!

$ curl -i -k -X “GET” “https://172.21.1.250:443/restconf/data/Cisco-IOS-XE-native:native/hostname" -H ‘Accept: application/yang-data+json’ -u ‘cisco:cisco’
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 11 Mar 2019 21:27:24 GMT
Content-Type: application/yang-data+json
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
Pragma: no-cache

{
“Cisco-IOS-XE-native:hostname”: “CSR”
}