Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1561
Views
10
Helpful
4
Replies

Provisioning via Plug and Play - Cisco Business Dashboard

Go to solution
AH_CCNA_06_19
Level 1
Level 1

‎12-03-2020 08:13 PM

Hi,

 

I have configured the PnP settings & public DNS for my CBD server and was able to successfully provision a SG250 off a template I created.

 

However, after removing the self-signed cert and installing the Let's Encrypt auto-renewing certificate via CertBot in the new version.. I am now unable to provision new devices with firmware or configuration.

 

I get the following error readout:

 

Certificate installation cannot be performed as there is no root CA certificate in uploaded server certificate chain file

 

I verified the etc\letsencrypt\ directory in the Linux VM and the fullchain.pem is definitely present along with CA certs.

 

Is it possible it needs to be moved and imported elsewhere besides for the web server services? Perhaps something missing from the KB for provisioning?

 

Has anyone else gotten this error?

 

Is there something I'm missing here? I followed the KB to the letter.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Harper
Cisco Employee
Cisco Employee
In response to AH_CCNA_06_19

‎12-20-2020 04:31 PM

Just following up on this one.  The tech note has been updated to address this problem in a way that will persist through the automatic renewals.  So go ahead and check that out.

 

Also, not sure if I mentioned this before, but the process described in the tech note was automated in the 2.2.1 version by adding the 'cisco-business-dashboard letsencrypt ...' command line tool - complete with the problem you identified here.  We have now updated that tool to address this problem as well, and that fix will be in the 2.2.2 release that we hope to get out this week.  The implementation is really no different to the tech note, but this detail might be useful to anyone who comes across this thread in the future.

 

Cheers,

Dave.

View solution in original post

4 Replies 4

Go to solution
David Harper
Cisco Employee
Cisco Employee

‎12-05-2020 02:33 AM

Hi there.

 

It turns out the KB article has an omission.  To cut a long story short, some of the switch platforms require the root certificate to be present in the chain or they will not provision with PnP.  Code to check for this stiuation was added to CBD relatively recently to make it easier to identify when the problem is likely to happen, but this all happened after the KB was written.  And unfortunately the right combination of certificates, switches and features was not covered by the test plans.  Mea culpa I'm afraid.  We will get this fixed and the KB updated in the next few days.  We just need to figure out how best to change the workflow so the automatic renewals continue to work.

 

In the meantime though, a short term fix is pretty simple.  You just need to do the following:

1. Download a copy of the root certificate from here: https://letsencrypt.org/certs/trustid-x3-root.pem.txt

2. Create a new certificate bundle using a command like "sudo cat /etc/letsencrypt/live/<servername>/fullchain.pem <path to root certificate> > fullchain-with-root.pem"

3. Import the new bundle into CBD with "sudo cisco-business-dashboard importcert -t pem -k /etc/letsencrypt/live/<servername>/privkey.pem -c fullchain-with-root.pem"

 

That should do the trick.  However, after ~60 days when the certificate gets renewed, the updated chain will not have the root and you would need to repeat the process.  But as I said, we should have an updated process documented within a few days that will take care of this as well.  So bear with us for a little bit.  I'll post an update here when we have something.

 

Cheers,

Dave.

Go to solution
AH_CCNA_06_19
Level 1
Level 1

‎12-05-2020 08:15 AM

Thanks for the information Dave!

 

No worries.. I thought it might be a weird issue with the new Let's Encrypt feature. I will apply this fix and keep an eye out for the long term fix.

 

Thanks for the quick response.

0 Helpful

Go to solution
David Harper
Cisco Employee
Cisco Employee
In response to AH_CCNA_06_19

‎12-20-2020 04:31 PM

Just following up on this one.  The tech note has been updated to address this problem in a way that will persist through the automatic renewals.  So go ahead and check that out.

 

Also, not sure if I mentioned this before, but the process described in the tech note was automated in the 2.2.1 version by adding the 'cisco-business-dashboard letsencrypt ...' command line tool - complete with the problem you identified here.  We have now updated that tool to address this problem as well, and that fix will be in the 2.2.2 release that we hope to get out this week.  The implementation is really no different to the tech note, but this detail might be useful to anyone who comes across this thread in the future.

 

Cheers,

Dave.

Go to solution
David Harper
Cisco Employee
Cisco Employee
In response to David Harper

‎01-13-2021 04:16 PM

Just a heads up to everyone that 2.2.2 was posted to the software centre this week, and so you can now implement the Let's Encrypt certificates a little more easily while still solving this problem.

 

Cheers,

Dave.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents