CAPWAP Certificate verified failed

juantovarm — Mon, 05 Jul 2021 19:59:06 GMT

I have this old AIR-AP1252G-A-K9 (which i downgraded from autonomous to light using the c1250-rcvk9w8-tar.124-21a.JA image) connected to a vWLC AIR-CTVM-K9-8-0-152-0 running the trial license. They used to bind till yesterday when I cleared the vWLC config using "Recover-Config". Upon reconfiguring the vWLC they can't bind anymore due to expired certificates. I have already entered the commands:

config ap cert-expiry-ignore mic enable

but to no avail. I've already done the same steps rolling back the clock on both devices, on 1 device and not the other, using NTP, but I keep getting the following errors:

*Jan 10 09:31:45.999: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Jan 10 09:31:45.999: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Jan 10 09:31:56.007: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan 10 09:31:56.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.251 peer_port: 5246
*Jan 10 09:31:56.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Jan 10 09:31:56.015: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Jan 10 09:31:56.015: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Jan 10 09:31:56.015: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:326 Certificate verified failed!
*Jan 10 09:31:56.015: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.1.251
*Jan 10 09:31:56.015: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.1.251:5246
*Jan 10 09:31:56.015: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.1.251: Malformed Certificate
*Jan 10 09:31:56.015: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.1.251:5246

Any ideas on what to do next?

Re: CAPWAP Certificate verified failed

Mark Elsen — Sun, 10 Jan 2021 18:29:16 GMT

- Check if the 1st=reply of this thread is applicable to your case :

https://community.cisco.com/t5/wireless/certificate-issue-joining-ap-to-vwlc/td-p/2036617

Re: CAPWAP Certificate verified failed

juantovarm — Tue, 12 Jan 2021 15:00:01 GMT

Thank you very much for your reply..

I had actually read that post before but that means getting my hands on a vWLC 7.3 OVA and CIsco's website has them as deferred. So, no luck there....

I ended up using another reply from that same post and it was to reinstall the original autonomous image via the emergency recovery method. That too took some tweaking because when i renamed the file to "default" in Windows, it showed up as c1250-k9w7-tar.default.tar in the tftp filysystem, so the AP didn't recognize the image until I edited the name in linux.

topic Re: CAPWAP Certificate verified failed in Wireless

CAPWAP Certificate verified failed

Re: CAPWAP Certificate verified failed

Re: CAPWAP Certificate verified failed