02-11-2008 02:14 AM - last edited on 03-25-2019 05:24 PM by ciscomoderator
Hi,
I've installed a new SSL certificate to replace the old one which was about to expire. After this cert update I can no longer access the ACS server for admin purposes. I get the error "Can not establish cifered connection because the certificate presented by <servername> is invalid or corrupt. Error code: -8101" or something similar as the message is in spanish.
I've tried to restart the CSAdmin service without success. I've also looked ath the different CS tools but none of them addresses this nor does the ACS User Guide.
Is there a way to remove the certificate from the command line or other?
Ay help would be appreciated as I don't want to reinstall/rebuild the server.
Thanks,
Niels
Solved! Go to Solution.
02-15-2008 06:39 AM
If the acs is 3.3.4 or below then it can be disabled via registry . 4.x dont have any registry settings to tweak.
For 4.x
One possible workaround available to us is that if a Backup of acs taken previous to enabling the HTTPS is there , we can restore the same and get around the issue.
For 3.3.x
To restore access using http to your server, you will need to change the registry setting
to disable https. Here is the location to the reg key:
HKEY_LOCAL_MACHINE \SOFTWARE \Cisco \CiscoAAAv3.2 \CSAdmin \Config \HTTPSSupport
Change this value from 2 to 1.
Regards,
~JG
Do rate helpful posts
02-15-2008 06:20 AM
This chapter addresses authentication and certification features found in the System Configuration section of Cisco Secure ACS Solution Engine.
02-15-2008 06:39 AM
If the acs is 3.3.4 or below then it can be disabled via registry . 4.x dont have any registry settings to tweak.
For 4.x
One possible workaround available to us is that if a Backup of acs taken previous to enabling the HTTPS is there , we can restore the same and get around the issue.
For 3.3.x
To restore access using http to your server, you will need to change the registry setting
to disable https. Here is the location to the reg key:
HKEY_LOCAL_MACHINE \SOFTWARE \Cisco \CiscoAAAv3.2 \CSAdmin \Config \HTTPSSupport
Change this value from 2 to 1.
Regards,
~JG
Do rate helpful posts
02-20-2008 06:20 AM
JG, I will try this asap, and let you know. Thanks for this. The version is 3.3.4b14? tha last supported patched version.
Cheers,
Niels
02-22-2008 05:42 AM
Thanks JG!! After changing the value and restarting the CSAdmin service I finally got access to the ACS app.
Cheers,
Niels
03-25-2008 01:34 AM
Hello,
I've got the same behaviour on appliance (version 4).
Do I need to reinstall all configuration on ACS ?
Thanks in advance.
Regards.
03-25-2008 02:26 AM
On 3.3 I didn't have to reinstall any configuration. What the Registry value change does is simply remove the SSL session encryption and that leaves the HTTP available. Once restarted the CSAdmin service I could connect using HTTP and then install a new cert, configure the cert trust list and re-enable the HTTPS admin session option.
I would assume that being version 4 and an appliance makes no difference. This is ONLY an assumption, you should check this out in your lab before trying it on a production environment system.
Make sure that you configure the Cert Trust List before enabling the HTTPS feature.
Cheers,
Niels
03-25-2008 03:42 AM
Hello Niels,
the difference is that on appliance, there is no way to access to registry. So I can not change the value to deactivate the ssh and i can't access to configuration trought https or http.
Best regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide