Solved: Cisco Catalyst Center and Cisco 5520 Network Assurance

Chris Terry · ‎09-16-2024

I have a single node Catalyst Center running 2.3.5.6 and two Cisco 5520 WLC running 8.10.190.0. I had to update the certificate on Catalyst Center as I was setting up pnp and had to update the cert SANs. The issue that I'm facing now is that I can't get the Network Assurance connection to work on both of my 5520 WLCs. They were working prior to the cert updated.

The error message I can see on the WLCs is "Peer certificate cannot be authenticated with given CA certificates, SSL certificate problem: unable to get local issuer certificate". I've tried to delete them from Catalyst Center and add them back. I tried to manually upload the Network Assurance certificate to both WLCs but no luck. I can view the Network Assurance certs on the WLCs and they match the new certificate on Catalyst Center so I'm really confused why there is still that cert error

Is there something that I am missing? I'm not able to find anything specific about that error and how to fix it. I'm at the point where a reload of the WLCs is my next step.

Preston Chilcote · ‎09-16-2024

I bet you either don't have the entire certificate chain in the pem file or it is out of order. Cat Center expects the entire chain in a single file starting with Device Cert and then working your way up the chain:

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_cisco_catalyst_center_security_best_practices_guide.html#Cisco_Concept.dita_6b42a5a9-5e77-4bf2-b05b-78a742b6888b

View solution in original post

Chris Terry · ‎09-24-2024

I had to sign a new cert for Catalyst Center and manually upload it to the WLCs. I might have missed the full cert chain on the Catalyst Center side. I tried to delete and add the WLCs back after the new cert, but they only worked after I manually uploaded the cert to each WLC.

View solution in original post

Preston Chilcote · ‎09-16-2024

I bet you either don't have the entire certificate chain in the pem file or it is out of order. Cat Center expects the entire chain in a single file starting with Device Cert and then working your way up the chain:

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_cisco_catalyst_center_security_best_practices_guide.html#Cisco_Concept.dita_6b42a5a9-5e77-4bf2-b05b-78a742b6888b

Chris Terry · ‎09-17-2024

I tried to remove and add back both WLCs to Catalyst Center after the cert was updated for Catalyst Center. That didn't change anything.
I've also tried manually uploading the cert to the WLCs following this doc - https://community.cisco.com/t5/wireless-mobility-knowledge-base/how-to-manually-connect-a-cisco-wlc-to-cisco-dna-center-for/ta-p/4272932

I can see the full cert on the WLCs. The webadmin certificate on the WLCs is signed by the same CA, both the intermediate and root certs match the catalyst center cert.

Dan Rowe · ‎09-17-2024

Do you see the root certificate of the Catalyst Center certificate chain listed as the NA-Server-CA certificate on the WLC when you check the licenses?

You should only see the root certificate, not the entire chain on the WLC side.

Rebooting the WLC will likely not resolve this issue as it is almost definitely an issue with the certificate as Preston mentioned.

Can you share the output of the NA-Server-CA certificate (redacted is fine) from the WLC?

Chris Terry · ‎09-24-2024

I had to sign a new cert for Catalyst Center and manually upload it to the WLCs. I might have missed the full cert chain on the Catalyst Center side. I tried to delete and add the WLCs back after the new cert, but they only worked after I manually uploaded the cert to each WLC.