cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
886
Views
0
Helpful
4
Replies

2.4 patch 9 breaks ERS certificate verification

aceandy79
Level 1
Level 1

Hi all,

Just an advisory that I have had to rollback patch 9 of release 2.4, as API calls with verify=true stopped working. Testing using python 3 on local PC found the error "certificate verify failed: unable to get local issuer certificate".

Rolling back patch 9 has resolved the problem.

1 Accepted Solution

Accepted Solutions

Surendra
Cisco Employee
Cisco Employee
As a result of CSCvp75207, Only the ISE Trust Certificates that have the "Trust for certificate based admin authentication" check box checked on the Edit Certificate page are placed into the Tomcat cert store. As a result, a complete certificate chain will not be present if these checkboxes are not checked. In your case, you will have to check the boxes for certificates which are a part of the ISE admin certificate chain since ERS uses 9060 port which will present Admin certificate.

View solution in original post

4 Replies 4

Jason Kunst
Cisco Employee
Cisco Employee
Did you open a tac case?

I've raised it via partner support, so may end up as a TAC case

Surendra
Cisco Employee
Cisco Employee
As a result of CSCvp75207, Only the ISE Trust Certificates that have the "Trust for certificate based admin authentication" check box checked on the Edit Certificate page are placed into the Tomcat cert store. As a result, a complete certificate chain will not be present if these checkboxes are not checked. In your case, you will have to check the boxes for certificates which are a part of the ISE admin certificate chain since ERS uses 9060 port which will present Admin certificate.

Hi Surendra,

Yep I can confirm that workaround works. Thank you for the link.

I found that if I set the trust certificate to "Trust for client authentication and Syslog" prior to installing patch 9, then the other (new) setting "Trust for certificate based admin authentication" was then automatically checked as part of the installation of patch 9.