Solved: Re: 2.4 patch 9 breaks ERS certificate verification

aceandy79 · ‎07-12-2019

Hi all,

Just an advisory that I have had to rollback patch 9 of release 2.4, as API calls with verify=true stopped working. Testing using python 3 on local PC found the error "certificate verify failed: unable to get local issuer certificate".

Rolling back patch 9 has resolved the problem.

Surendra · ‎07-12-2019

As a result of CSCvp75207, Only the ISE Trust Certificates that have the "Trust for certificate based admin authentication" check box checked on the Edit Certificate page are placed into the Tomcat cert store. As a result, a complete certificate chain will not be present if these checkboxes are not checked. In your case, you will have to check the boxes for certificates which are a part of the ISE admin certificate chain since ERS uses 9060 port which will present Admin certificate.

View solution in original post

Jason Kunst · ‎07-12-2019

Did you open a tac case?

aceandy79 · ‎07-12-2019

I've raised it via partner support, so may end up as a TAC case

Surendra · ‎07-12-2019

As a result of CSCvp75207, Only the ISE Trust Certificates that have the "Trust for certificate based admin authentication" check box checked on the Edit Certificate page are placed into the Tomcat cert store. As a result, a complete certificate chain will not be present if these checkboxes are not checked. In your case, you will have to check the boxes for certificates which are a part of the ISE admin certificate chain since ERS uses 9060 port which will present Admin certificate.

aceandy79 · ‎07-12-2019

Hi Surendra,

Yep I can confirm that workaround works. Thank you for the link.

I found that if I set the trust certificate to "Trust for client authentication and Syslog" prior to installing patch 9, then the other (new) setting "Trust for certificate based admin authentication" was then automatically checked as part of the installation of patch 9.