cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2286
Views
0
Helpful
4
Replies

ACS 5.4 - invalid management certificate, GUI is not accessible

Miroslav Horak
Level 1
Level 1

Hello all,

by my fault, I've set invalid management certificate. So, the GUI became unaccessible right after reboot of the mgmt service.

Mozila Firefox is reporting "Certificate type not approved for application (Error code: sec_error_inadequate_cert_type)"

IE tells "IE cannot display the webpage"

(both browsers asked for security exception because of new cert)

I went to acs-config mode and tried to reset the certificate by "reset-management-interface-certificate" command, but it failed:

Resetting ACS Management Interface Certificate...

Failed to Reset Management Interface Certificate.

See the logs for more details.

==> /opt/CSCOacs/logs/acsRuntime.log <==

PKILogic,04/03/2014,18:06:09:474,ERROR,3081878416,cntx=0000000460,PKILogic::onGenerateSelfSignedCertificateEx2Request: MD5 digest is not supported,PKILogic.cpp:359

Then I tried "acs restore", but it didn't solve the problem neither, invalid certificate is still there  :-(

Any idea how to solve it?

Thanks

P.S.: the version is: 5.4.0.46.5

4 Replies 4

Jatin Katyal
Cisco Employee
Cisco Employee

Try this:

reset-management-interface-certificate

To reset the management interface certificate to a default self-signed certificate, use the reset-management-interface-certificate command in the ACS Configuration mode. Only the super admin and system admin can run this command.

Command Reference:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/command/reference/cli/cli_app_a.html#wp2063454

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Hi Jatin,

I actually did that, but it failed:

Resetting ACS Management Interface Certificate...

Failed to Reset Management Interface Certificate.

See the logs for more details.

(The log is attached in my initial post)

Thanks for your reply.

Hi, I am unable to to log onto my GUI even though I successfully ran reset-management-interface-certificate command in the ACS Configuration mode twice. In acsRuntime.log I have errors like :

When I manually created a certificate

ERROR PKILogic::onGenerateSelfSignedCertificateEx2Request:Generation failed ; error=Invalid certificate subject DN length,PKILogic.cpp:378Eap, 07/03/2014 18:05:165,WARN ,3010931616,NIL-CONTEXT,configureCTL = Failed to initializeCTL,EapConfigObjectBase.cpp:335

When I ran the reset certificate CLI command

ERROR, 3056110496,NIL-CONTEXT,DeviceAttrFactory::createAttrValue with marker = " .DeviceAttrFactory.cpp:29 Shellprofile, 07/03/2014

 

When I attempt to use the GUI.... ERROR,2954697632,onException - reason activemq::to::SocketInputStream::read - The connection is broken; state connected; stack trace: activemq::io::SocketInputStream::read - The connection is broken

 

Will a restore help?

Hi Stuart,

that's good point, the "restore" maybe could solve it, but I haven't made full backup before :-(

And "acs restore" didn't fix the problem for me.

I had to re-install the ACS at the end:

1) application remove acs
2) application install ACS_5.4.0.46.0a.tar.gz "repository"    (tftp repository doesn't work)
3) acs patch install 5-4-0-46-6.tar.gpg repository "repository"
4) acs restore backup.tar.gpg repository "repository"

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: