topic Re: Webauth Certificate install problem wlc 5508 in Wireless

Webauth Certificate install problem wlc 5508

PawelKozerski55944 — Mon, 05 Jul 2021 18:23:07 GMT

Hello

I have a problem with install a new webauth certificate on wlc 5508.

I created a new file like in this document:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

From Gui and from cli when i try to download and install it i got an success information.

File transfer operation completed successfully. For Certificates to take effect and SSL to work, you need to reboot system. Click Here to get redirected to reboot page.

After reboot of the controller i still see an old certyficate.

When i was enabled an debug i got something like that, but still dont know what is the cause and why new certificate is not installed correctly.

*TransferTask: Dec 03 13:33:43.187: Memory overcommit policy changed from 0 to 1

*TransferTask: Dec 03 13:33:43.187: RESULT_STRING: TFTP Webauth cert transfer starting.


TFTP Webauth cert transfer starting.
*TransferTask: Dec 03 13:33:43.187: RESULT_CODE:1

*TransferTask: Dec 03 13:33:47.222: TFTP: Binding to remote=192.168.40.100

*TransferTask: Dec 03 13:33:47.276: TFP End: 12043 bytes transferred (0 retransmitted packets)

*TransferTask: Dec 03 13:33:47.276: tftp rc=0, pHost=192.168.40.100 pFilename=WLAN5508/final_5508.pem
        pLocalFilename=cert.p12

*TransferTask: Dec 03 13:33:47.333: RESULT_STRING: TFTP receive complete... Installing Certificate                                                              .

*TransferTask: Dec 03 13:33:47.333: RESULT_CODE:13


TFTP receive complete... Installing Certificate.
*TransferTask: Dec 03 13:33:51.335: Adding cert (11947 bytes) with certificate key password.

*TransferTask: Dec 03 13:33:51.335: Add WebAuth Cert: Adding certificate & private key using password PASSWORD
*TransferTask: Dec 03 13:33:51.335: Add ID Cert: Adding certificate & private key using password PASSWORD
*TransferTask: Dec 03 13:33:51.336: Add Cert to ID Table: Adding certificate (name: bsnSslWebauthCert) to ID table using password PASSWORD
*TransferTask: Dec 03 13:33:51.336: Add Cert to ID Table: Decoding PEM-encoded Certificate (verify: YES)
*TransferTask: Dec 03 13:33:51.336: Decode & Verify PEM Cert: Cert/Key Length was 0, so taking string length instead
*TransferTask: Dec 03 13:33:51.336: Decode & Verify PEM Cert: Cert/Key Length 11947 & VERIFY
*TransferTask: Dec 03 13:33:51.365: Decode & Verify PEM Cert: X509 Cert Verification return code: 1
*TransferTask: Dec 03 13:33:51.365: Decode & Verify PEM Cert: X509 Cert Verification result text: ok
*TransferTask: Dec 03 13:33:51.367: Add Cert to ID Table: Decoding PEM-encoded Private Key using password PASSWORD
*TransferTask: Dec 03 13:33:51.369: Add Cert to ID Table: Adding cert & key to ID cert table; current/max: 5/8
*TransferTask: Dec 03 13:33:51.369: sshpmGetIdCertIndex: called to lookup cert >bsnSslWebauthCert<

*TransferTask: Dec 03 13:33:51.370: sshpmGetIdCertIndex: found match in row 4

*TransferTask: Dec 03 13:33:51.370: Add Cert to ID Table: Deleting bsnSslWebauthCert (row 4) from ID cert table
*TransferTask: Dec 03 13:33:51.370: Free Row in ID Table: Freeing OpenSSL cert (X509 fn: 0x2ac498c8 | DER fn: 0x2ab7e3c8) from ID cert table (row 4)
*TransferTask: Dec 03 13:33:51.370: Free Row in ID Table: Freeing OpenSSL key (EVP_PKEY fn: 0x2ac32030 | DER fn: 0x2ab7e3c8) from ID cert table (row 4)
*TransferTask: Dec 03 13:33:51.371: Add Cert to ID Table: Adding new bsnSslWebauthCert cert & key to row 4 of ID cert table
*TransferTask: Dec 03 13:33:51.371: Add ID Cert: Writing DER-encoded ID cert to file /mnt/application/bsnSslWebauthCert.crt
*TransferTask: Dec 03 13:33:51.371: sshpmWriteCredentialFile: called to write </mnt/application/bsnSslWebauthCert.crt>; certptr 0x2c49c8f0, length 1533

*TransferTask: Dec 03 13:33:51.372: Add ID Cert: Writing DER-encoded ID private key to file /mnt/application/bsnSslWebauthCert.prv
*TransferTask: Dec 03 13:33:51.372: sshpmWriteCredentialFile: called to write </mnt/application/bsnSslWebauthCert.prv>; certptr 0x2c49d124, length 1192

*TransferTask: Dec 03 13:33:51.373: Add ID Cert: Unlinking previously created ID PEM-encoded PKCS12 file webauth_p12.pem
*TransferTask: Dec 03 13:33:51.374: Add ID Cert: Created PEM-encoded ID PKCS12 file webauth_p12.pem
*TransferTask: Dec 03 13:33:51.374: RESULT_STRING: Certificate installed.
             Reboot the switch to use new certificate.


*TransferTask: Dec 03 13:33:51.374: RESULT_CODE:11

*TransferTask: Dec 03 13:33:51.376: Memory overcommit policy restored from 1 to 0


Certificate installed.
                        Reboot the switch to use new certificate.


(Cisco Controller) >

Re: Webauth Certificate install problem wlc 5508

patoberli — Thu, 05 Dec 2019 07:40:29 GMT

You don't see the new certificate after a reboot, right?
Because the installation indeed looks good.

What software is running on the WLC? Maybe you're hitting a bug.

Re: Webauth Certificate install problem wlc 5508

PawelKozerski55944 — Fri, 06 Dec 2019 10:36:48 GMT

Yes, i dont see a new cerfiticate after reboot. I still have a valid old certificate but i dont think it's matter.

After reboot when i go to Web Authentication Certificate i see
Current Certificate:
valid:From Dec 15 13:36:41 2016 GMT Until Dec 15 13:36:41 2019 GMT

My software version is 8.3.143.0

Re: Webauth Certificate install problem wlc 5508

patoberli — Fri, 06 Dec 2019 11:33:13 GMT

Process looks absolutely correct.
Can you validate once again that the file WLAN5508/final_5508.pem is indeed the new and not an old file?
Your uploaded cert is correctly chained?

Manual: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

Re: Webauth Certificate install problem wlc 5508

PawelKozerski55944 — Mon, 09 Dec 2019 13:28:46 GMT

I'm shure that was new certificat. I found in the internet information how to create new certificate manually not using pkcs12 commands and it worked. I was able to upload new certificate and after reboot i have properly value of this certificate. Now i have another problem. I cant use https in gui only http. I disabled and enabled https, also genereted a new local certificate but it doesnt help. For now i can only use http protocol.

Re: Webauth Certificate install problem wlc 5508

patoberli — Mon, 09 Dec 2019 14:04:45 GMT

What error message do you get in the browser?

Re: Webauth Certificate install problem wlc 5508

PawelKozerski55944 — Mon, 09 Dec 2019 14:42:46 GMT

I got something like that:
This site is unreachable. Server has refused the connection.
ERR_CONNECTION_REFUSED

Re: Webauth Certificate install problem wlc 5508

patoberli — Mon, 09 Dec 2019 14:55:16 GMT

Interesting, could you try it with a different browser? If you also get it, then the WLC doesn't like the certificate for the https process, for whatever reason.

Re: Webauth Certificate install problem wlc 5508

PawelKozerski55944 — Mon, 09 Dec 2019 14:58:19 GMT

I checked on chrome, firefox and opera and on the all browser is the same result. I cant use https to login via GUI

Re: Webauth Certificate install problem wlc 5508

patoberli — Mon, 09 Dec 2019 15:57:27 GMT

Under Management - HTTP HTTPS, can you enable/disable the following option and test again:
WebAuth SecureWeb

Re: Webauth Certificate install problem wlc 5508

PawelKozerski55944 — Mon, 09 Dec 2019 16:45:41 GMT

It doesnt change anything. After disable/enable i still cant use https

Re: Webauth Certificate install problem wlc 5508

patoberli — Tue, 10 Dec 2019 10:12:08 GMT

Under Management - http-HTTPS, you have the the "current certificate" listed, is that indeed the correct certificate you see there?

Re: Webauth Certificate install problem wlc 5508

PawelKozerski55944 — Tue, 10 Dec 2019 10:24:25 GMT

In security->webauth->certificate i was uploaded a new ssl certificate for our domain (2019 to 2012). After that i cant use https. In Managment->http https i see other certificate "Locally Generated" ( Cisco Systems From Dec 9 23:00:01 2019 GMT Until Dec 9 23:00:01 2029 GMT). Earlier it looks the same and https was working.
Now i have https enabled and ERR_CONNECTION_REFUSED when i try to open an webadmin page.

Re: Webauth Certificate install problem wlc 5508

patoberli — Tue, 10 Dec 2019 12:20:55 GMT

I'm a bit out of ideas, as I don't know why it isn't working for you. You could try to re-create the locally generated certificate, that's the one the GUI service uses.

Re: Webauth Certificate install problem wlc 5508

PawelKozerski55944 — Tue, 10 Dec 2019 14:58:50 GMT

I tryed to create a new local certificate but this also dont change anything.

I have made a test and install old certificate and https starts working but when i installed the new certificate https stops working.

Re: Webauth Certificate install problem wlc 5508

patoberli — Tue, 10 Dec 2019 15:17:08 GMT

I suggest to open a TAC, or maybe somebody else can recommend something. I'm a bit out of ideas.

You did test it with a different PC?

Re: Webauth Certificate install problem wlc 5508

patoberli — Tue, 10 Dec 2019 15:42:08 GMT

Have you used OpenSSL 1.x or the older 0.9x? I think to remember that the 5508 didn't like OpenSSL 1.x created certificates.

Re: Webauth Certificate install problem wlc 5508

PawelKozerski55944 — Thu, 12 Dec 2019 09:53:22 GMT

I was used 0.98y OpenSSL

Re: Webauth Certificate install problem wlc 5508

TsvetanVladimirov81607 — Fri, 13 Dec 2019 09:27:20 GMT

Pawel,

After enabling secure web and generated the local certificate did you reboot the WLC?
Usually the WLC need to be rebooted in order to take effect.

The newer browsers sometimes react like this on devices, that do not present any or the proper certificate.
I had a similar behavior. You can use the WebAuth certificate (If it is a wildcard) to install it in Management-> HTTP-HTTPS and Download the SSL certificate. For this one actually you shouldn't need the chain certificate, only the signed one without the root and intermediate but the WLC should accept it as a chain as well.
Then reload the WLC and It should start working.

Re: Webauth Certificate install problem wlc 5508

PawelKozerski55944 — Wed, 08 Jan 2020 08:28:47 GMT

I restarted the controller many times without effect.

I dont have an wildcart certifitace.