https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4315542#M227822 <P>I have NOW! I feel a&nbsp;migraine headache coming on.</P> Mon, 29 Mar 2021 15:59:11 GMT David Ritter 2021-03-29T15:59:11Z https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4314546#M227745 <P>I have 4 AIR-CAP3502i-A-K9's that received Fatal reports from WLC 8.5.164.0.&nbsp; I have 7 others still associating.</P><P>&nbsp;</P><P>*Mar 26 14:01:47.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: x.x.x.x peer_port: 5246<BR />*Mar 26 14:01:47.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from x.x.x.x<BR />*Mar 26 14:01:47.210: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to x.x.x.x:5246</P><P>How do I regen or create a new Cert?</P> Mon, 05 Jul 2021 20:02:53 GMT https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4314546#M227745 David Ritter 2021-07-05T20:02:53Z https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4314584#M227748 <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; &nbsp;- On the AP check the certificate with :&nbsp;<STRONG>AP# show crypto pki certificates</STRONG></P> <P><STRONG>&nbsp;</STRONG>M.</P> Fri, 26 Mar 2021 16:10:28 GMT https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4314584#M227748 Mark Elsen 2021-03-26T16:10:28Z https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4314600#M227750 <P>unfortunately there is no Show Crypto cmd but I can view them all in show tech..&nbsp;&nbsp;</P><P>there is:</P><P>crypto pki certificate chain cisco-m2-root-cert<BR />certificate ca 01...</P><P>crypto pki certificate chain Cisco_IOS_M2_MIC_cert<BR />certificate ca 02...</P><P>crypto pki certificate chain airespace-old-root-cert<BR />certificate ca 00...</P><P>crypto pki certificate chain airespace-new-root-cert<BR />certificate ca 00..</P><P>crypto pki certificate chain airespace-device-root-cert<BR />certificate ca 03...</P><P>crypto pki certificate chain cisco-root-cert<BR />certificate ca 5FF87B282B54DC8D42A315B568C9ADFF..</P><P>crypto pki certificate chain Cisco_IOS_MIC_cert<BR />certificate 15B7774C000000055EC7...</P><P>certificate ca 6A6967B3000000000003</P><P>end list..</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 26 Mar 2021 16:27:27 GMT https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4314600#M227750 David Ritter 2021-03-26T16:27:27Z https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4314775#M227764 <P>Certificate expired for some ap</P> Sat, 27 Mar 2021 02:59:55 GMT https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4314775#M227764 MHM Cisco World 2021-03-27T02:59:55Z https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4314794#M227766 <P>&nbsp;</P> <P><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &gt;crypto pki certificate chain cisco-m2-root-cert</EM><BR /><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;certificate ca 01...</EM></P> <P>&nbsp; - Check if any expiration dates are mentioned too.</P> <P>&nbsp;M.</P> Sat, 27 Mar 2021 06:45:21 GMT https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4314794#M227766 Mark Elsen 2021-03-27T06:45:21Z https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4315127#M227789 <P>Have you read <A href="https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html</A> and followed the instructions carefully?</P><P>&nbsp;</P><P>If you forgot to apply the config to allow APs or WLC (you didn't mention WLC model but they can also be affected) with expired cert then you'll have to turn off NTP, set the time back to before cert(s) expired, apply the config workaround on WLC, allow all APs to rejoin and get the update, then put NTP on again.</P> Sun, 28 Mar 2021 09:35:55 GMT https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4315127#M227789 Rich R 2021-03-28T09:35:55Z https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4315432#M227813 <P>ON WLC CLI&gt;&nbsp;<SPAN>config ap cert-expiry-ignore mic enable</SPAN></P> Mon, 29 Mar 2021 12:52:22 GMT https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4315432#M227813 superego 2021-03-29T12:52:22Z https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4315542#M227822 <P>I have NOW! I feel a&nbsp;migraine headache coming on.</P> Mon, 29 Mar 2021 15:59:11 GMT https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4315542#M227822 David Ritter 2021-03-29T15:59:11Z https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4315551#M227823 <P>that solved the 4 3502's attached to the 5508 on 8.5.164.0 . reporting the&nbsp;cert unknown.</P><P>not the 1810w reporting&nbsp;Discovery response from MWAR ''running version 0.0.0.0 is rejected</P><P>or the 3 1852s attached to the 5520 also reporting: Discovery response from MWAR ''running version 0.0.0.0 is rejected</P><P>&nbsp;</P><P>I have not yet been thru all the previous replies..</P><P>&nbsp;</P><P>thank you the 3502's comprised an entire site..&nbsp; so good they are alive again.</P> Mon, 29 Mar 2021 16:12:51 GMT https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4315551#M227823 David Ritter 2021-03-29T16:12:51Z https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4315570#M227824 <P>I never upgraded to 8.5.164 as I see the warning "<SPAN>This Image/Release is used ONLY for C9800 IRCM Compatibility."</SPAN></P><P>&nbsp;</P><P><SPAN>Can you try upgrading to&nbsp;</SPAN>8.5.171?</P> Mon, 29 Mar 2021 16:45:01 GMT https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4315570#M227824 superego 2021-03-29T16:45:01Z https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4315632#M227826 <P>understood.&nbsp; however, I have a 9800-40 sitting in the wings waiting to take command once it gets vlan interfaces to support the entire campus.&nbsp; I'm combining two sites into one and need more elbow room.</P> Mon, 29 Mar 2021 18:36:06 GMT https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4315632#M227826 David Ritter 2021-03-29T18:36:06Z https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4316113#M227842 <P>Note that there is a new IRCM release 8.5.176.0 which Cisco said on webinar last week resolves a number of bugs in 8.5.164.0 and should also have all the fixes which went into 8.5.171.0 so suggest you upgrade to that for a start:</P><P><A href="https://software.cisco.com/download/home/286284738/type/280926587/release/8.5IRCM" target="_blank">https://software.cisco.com/download/home/286284738/type/280926587/release/8.5IRCM</A></P><P><A href="https://software.cisco.com/download/home/282600534/type/280926587/release/8.5IRCM" target="_blank">https://software.cisco.com/download/home/282600534/type/280926587/release/8.5IRCM</A></P><P>They said the TAC recommended releases <A href="https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc9" target="_blank">https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc9</A> should get updated with that info soon (not yet I see).</P><P>&nbsp;</P><P>If you still have the problem with the other APs then try factory defaulting them (often fixes that type of problem) and if that doesn't help you'll need to get full console logs from at least one of them and ideally packet captures of the CAPWAP discovery/join at the same time.</P><P>&nbsp;</P> Tue, 30 Mar 2021 11:55:30 GMT https://community.cisco.com/t5/wireless/certificate-unknown-alert/m-p/4316113#M227842 Rich R 2021-03-30T11:55:30Z