topic ERROR (SSL Routing, SSL_GET_SERVER_CERTIFICATE, Certificate verification failed in Network Access Control

ERROR (SSL Routing, SSL_GET_SERVER_CERTIFICATE, Certificate verification failed

VamsiKrishna — Fri, 21 Feb 2020 19:09:42 GMT

Hello Everyone,

We are using ISE version 2.3.0.298 patch 6,7 in virtual environment. We are trying to do TC-NAC from ISE GUI with AMP cloud but it show error "ERROR: while trying to connect to AMP cloud " in vendor instance while trying to connect AMP. When we checked the log in ISE using “show logging container tc-nac container-name <InstanceName> log-name adapter.log tail” command it show error "[Get clouds received RequestException ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)].

Help us to solve this issue.

Re: ERROR (SSL Routing, SSL_GET_SERVER_CERTIFICATE, Certificate verification failed

Arne Bier — Wed, 11 Sep 2019 10:51:46 GMT

TC-NAC is a bit of a special beast. I have not done one myself, but there is a nice write up about getting comms working between ISE and a TC-NAC third-party vendor.

You may have missed the part where you have to install the CA cert chain of your TC-NAC service that ISE is connecting to (AMP in this case)

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200974-Configure-ISE-2-2-Threat-Centric-NAC-TC.html

Re: ERROR (SSL Routing, SSL_GET_SERVER_CERTIFICATE, Certificate verification failed

VamsiKrishna — Thu, 12 Sep 2019 13:17:04 GMT

Thank for the reply.

But we are using Cisco AMP in our scenario. In Cisco AMP we can't generate certificate, we have a self-signed certificate in ISE.
is there any other way we can solve this issue ?

Re: ERROR (SSL Routing, SSL_GET_SERVER_CERTIFICATE, Certificate verification failed

networksumo — Fri, 17 Jul 2020 04:30:21 GMT

Did you ever get a resolution for this issue?