DNAC 2.1.2.5 Provisioning Error

Mike.Cifelli · ‎02-09-2021

I recently ran into a new provisioning error after upgrading a 3 node cluster from 1.3.3.7 directly to 2.1.2.5 over the weekend. When attempting to provision a device I was getting the following error:

The 'Host name' depicted the cluster vip which was not a part of the TLS cert SAN. I had to regenerate a new TLS cert to include cluster vips, node IPs, and then update the PKI cert under system settings from within the UI. Once that was done provisioning worked like a charm. Note that we never had provisioning errors prior to 2.1.2.5 that generated this error. TAC is filing a documentation bug as they claim adding the IPs to the SAN field has fixed several similar certificate errors. HTH anybody that runs into the same issue.

OlehBosiuk65241 · ‎02-10-2021

Hello, I try to create certificate request using Open SSL and sign by CA. My version also 2.1.2.5
So I also need add in section [alt_names] cluster vips, node IPs? Can you share answer from TAC about documentation bug?

Mike.Cifelli · ‎02-10-2021

So I also need add in section [alt_names] cluster vips, node IPs?

-Yes. This fixed my issue. Here is what I used in my openssl.cnf:

req_extensions = v3_req
distinguished_name = req_distinguished_name
default_bits = 4096
default_md = sha512
prompt = no
[req_distinguished_name]
C = XX
ST = XX
L = XX
O = XX
OU = XX
CN = XX.XX.XX

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = XX.XX.XX
DNS.2 = XX.XX.XX
DNS.3 = XX.XX.XX
DNS.4 = XX.XX.XX
DNS.5 = *.XX.XX
IP.1 = XX.XX.XX.XX
IP.2 = XX.XX.XX.XX
IP.3 = XX.XX.XX.XX
IP.4 = XX.XX.XX.XX
IP.5 = XX.XX.XX.XX

Can you share answer from TAC about documentation bug?

-Yes. As soon as I get it from them.

HTH!