cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

1081
Views
10
Helpful
4
Replies
AH_CCNA_06_19
Beginner

Provisioning via Plug and Play - Cisco Business Dashboard

Hi,

 

I have configured the PnP settings & public DNS for my CBD server and was able to successfully provision a SG250 off a template I created.

 

However, after removing the self-signed cert and installing the Let's Encrypt auto-renewing certificate via CertBot in the new version.. I am now unable to provision new devices with firmware or configuration.

 

I get the following error readout:

 

Certificate installation cannot be performed as there is no root CA certificate in uploaded server certificate chain file

 

I verified the etc\letsencrypt\ directory in the Linux VM and the fullchain.pem is definitely present along with CA certs.

 

Is it possible it needs to be moved and imported elsewhere besides for the web server services? Perhaps something missing from the KB for provisioning?

 

Has anyone else gotten this error?

 

Is there something I'm missing here? I followed the KB to the letter.

1 ACCEPTED SOLUTION

Accepted Solutions

Just following up on this one.  The tech note has been updated to address this problem in a way that will persist through the automatic renewals.  So go ahead and check that out.

 

Also, not sure if I mentioned this before, but the process described in the tech note was automated in the 2.2.1 version by adding the 'cisco-business-dashboard letsencrypt ...' command line tool - complete with the problem you identified here.  We have now updated that tool to address this problem as well, and that fix will be in the 2.2.2 release that we hope to get out this week.  The implementation is really no different to the tech note, but this detail might be useful to anyone who comes across this thread in the future.

 

Cheers,

Dave.

View solution in original post

4 REPLIES 4
David Harper
Cisco Employee

Hi there.

 

It turns out the KB article has an omission.  To cut a long story short, some of the switch platforms require the root certificate to be present in the chain or they will not provision with PnP.  Code to check for this stiuation was added to CBD relatively recently to make it easier to identify when the problem is likely to happen, but this all happened after the KB was written.  And unfortunately the right combination of certificates, switches and features was not covered by the test plans.  Mea culpa I'm afraid.  We will get this fixed and the KB updated in the next few days.  We just need to figure out how best to change the workflow so the automatic renewals continue to work.

 

In the meantime though, a short term fix is pretty simple.  You just need to do the following:

1. Download a copy of the root certificate from here: https://letsencrypt.org/certs/trustid-x3-root.pem.txt

2. Create a new certificate bundle using a command like "sudo cat /etc/letsencrypt/live/<servername>/fullchain.pem <path to root certificate> > fullchain-with-root.pem"

3. Import the new bundle into CBD with "sudo cisco-business-dashboard importcert -t pem -k /etc/letsencrypt/live/<servername>/privkey.pem -c fullchain-with-root.pem"

 

That should do the trick.  However, after ~60 days when the certificate gets renewed, the updated chain will not have the root and you would need to repeat the process.  But as I said, we should have an updated process documented within a few days that will take care of this as well.  So bear with us for a little bit.  I'll post an update here when we have something.

 

Cheers,

Dave.

AH_CCNA_06_19
Beginner

Thanks for the information Dave!

 

No worries.. I thought it might be a weird issue with the new Let's Encrypt feature. I will apply this fix and keep an eye out for the long term fix.

 

Thanks for the quick response.

Just following up on this one.  The tech note has been updated to address this problem in a way that will persist through the automatic renewals.  So go ahead and check that out.

 

Also, not sure if I mentioned this before, but the process described in the tech note was automated in the 2.2.1 version by adding the 'cisco-business-dashboard letsencrypt ...' command line tool - complete with the problem you identified here.  We have now updated that tool to address this problem as well, and that fix will be in the 2.2.2 release that we hope to get out this week.  The implementation is really no different to the tech note, but this detail might be useful to anyone who comes across this thread in the future.

 

Cheers,

Dave.

View solution in original post

Just a heads up to everyone that 2.2.2 was posted to the software centre this week, and so you can now implement the Let's Encrypt certificates a little more easily while still solving this problem.

 

Cheers,

Dave.