topic Re: ISE 3.1 certificate issue in Network Access Control

ISE 3.1 certificate issue

Dustin Anderson — Tue, 13 Dec 2022 15:18:51 GMT

I do have a TAC open, but want to see if anyone has an idea while I'm waiting.

So, we use a public COMODO cert for our portals. I just got the renewed cert and went to install it last weekend. With the new cert, all portals load with:

This site can’t provide a secure connection

ise-t.whatever.com uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I thought maybe the cert, or key was incorrect, so I put the old cert back and the portals worked.

Monday, I spun up a test VM same as production of 3.1 patch 4. I started with the new cert and the portals worked, but then changing to the old cert caused the same error. But, changing back to the new did not correct it, so I'm guessing I got lucky in prod that the old cert took.

I'm currently downloading patch 5 to try on the test, but don't see any bugs related that it could be.

My thoughts are it could be due to it being a renewal and they both use the same key. Testing this is a pain since it's a public cert and we would have to revoke and do a new CSR to test.

Any suggestions would be appreciated. I have about 10 days until my cert dies.

Re: ISE 3.1 certificate issue

Mark Elsen — Tue, 13 Dec 2022 16:16:06 GMT

- What error do you get in Firefox ?

Re: ISE 3.1 certificate issue

Dustin Anderson — Tue, 13 Dec 2022 16:36:47 GMT

basically the same.

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Re: ISE 3.1 certificate issue

Mark Elsen — Tue, 13 Dec 2022 16:50:38 GMT

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc64480

Re: ISE 3.1 certificate issue

Dustin Anderson — Tue, 13 Dec 2022 18:08:54 GMT

Thanks, that seems to be the bug. weird part is I tried rebooting yesterday and still had the issue, but seems to be working today. Only difference is I added patch 5 to the test node.

I'm going to restore it back to patch 4 and see if rebooting still works, will tell me if I have to also install patch 5 on my production before it works or not.

Re: ISE 3.1 certificate issue

Dustin Anderson — Tue, 13 Dec 2022 19:24:12 GMT

ok, not crazy. On 3.1 patch 4, the reboot workaround does not work. Applying patch 5 and verifying that still works.

Re: ISE 3.1 certificate issue

Dustin Anderson — Tue, 13 Dec 2022 19:47:28 GMT

Ok, patch 5 kicked in the new cert, so it appears to be the bug, with the caveat of needing patch 5 for the workaround to work. Will have to fix production this weekend.

Re: ISE 3.1 certificate issue

dubeyshivprakash09 — Tue, 27 Dec 2022 07:08:25 GMT

@Mark Elsen wrote:

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc64480
Pls confirm how I can download expired certificate from Cisco.

Re: ISE 3.1 certificate issue

dubeyshivprakash09 — Tue, 27 Dec 2022 07:11:10 GMT

Just want to download expired ccie security written exam certificate

Re: ISE 3.1 certificate issue

EU UC Support — Tue, 09 May 2023 17:26:48 GMT

Hey Dustin, we're currently hit with the bug but on the report is only mentions we need to "reload ISE server". Do you know if this is all of the nodes? Just the PSNs?

Thanks

Re: ISE 3.1 certificate issue

Dustin Anderson — Tue, 09 May 2023 17:41:28 GMT

If you are on patch 5+, I believe the reboot should work. without 5 reboot did not fix the issue. The issue is with renewal, so could also maybe regenerate a completely new cert, but not sure.

I would suspect all nodes, but we just have a 2 node deployment, so can't verify that myself.

Re: ISE 3.1 certificate issue

Sri Harsha Dasari — Wed, 31 May 2023 02:20:35 GMT

I had the same issue, moved portal certificate to another cert(admin/default), then deleted old and new portal certs.
Now reloaded PSN's and then PAN. Now, imported the new certificate back. Then it took the new certificate and is working fine.

Re: ISE 3.1 certificate issue

tomhoed — Thu, 04 Jul 2024 09:56:09 GMT

We had the same issue on ISE 3.2 Patch 4

Followed the same procedure as Sri:
Moved guest portal certificate group to the default
deleted old (and new) portal certificates
reboot PSN1 (show application status to check functionality, all running >> OK), reboot PSN2
Upload new guest portal certificates with a new group
Link new cert group to guest portal

Re: ISE 3.1 certificate issue

voidray87 — Tue, 18 Feb 2025 12:58:57 GMT

Got same on ISE 3.2 patch 7. Will have to do it on maintenance window. How long, Cisco, you will be making buggy software?

Because instead of expanding your Department of Inclusivity or so, you'd better hire developers with proper skills.