Solved: Cisco ISE node serving wrong certificate

rileyk · ‎11-16-2022

Hello,

I am running into an issue where after updating our ISE node's cert for the Admin, Portal, and RADIUS DTLS services, it continues to serve an old self-signed cert that has been deleted from the server. I verified that the cert is Issued with our CA and had no issues binding it. I also was able to complete this process without an issue on our ISE-2 node, and when I try to access that, it is using the correct cert. I have tried the following with no success:

via CLI, application stop ise --> verify services stopped with show app stat ise --> application start ise --> verify services with show app stat ise
via CLI, application stop ise --> reload --> verify services with show app stat ise
via CLI, application stop ise --> restart Guest OS via vCenter --> verify services with show app stat ise

Any ideas? Any help would be appreciated!

Milos_Jovanovic · ‎11-17-2022

Based on screenshot, I can see that you are using Mozilla. I would also assume that you have at least imported your internal RootCA and all its intermediate ones into trusted store on PC. If not, you would need to import certificate chain onto your PC first.

This browser, by default, does not use PC's certificate store, and you must either import it directly under Mozilla too, or you need to configure Mozilla to use PC's store.

If you already configured this too, and certificate in use is still self-signed one (not actually visible on previous screenshot, as you would need to click View certificate and confirm that it is self-signed one), you already did everything you can to check it, and next logical step is Cisco TAC.

Kind regards,

Milos

View solution in original post

Milos_Jovanovic · ‎11-17-2022

Hi @rileyk,

Where exactly this certificate is not reflected? On Admin portal, or some other portals (like Guest or Sponsor), or maybe EAP? How are you checking this exactly?

I've seen behavior in past, where certificate replacement is not proprerly reflected somewhere in backend (like t is not applied in Web server or similar), but all of these issues were resolvedby reloading entire ISE (not only app stop and app start). I also haven't seen this issue with more recent versions.

Also, If you replaced this certificate for Admin role, and you see it being used from ISE GUI under Admin role, then it is applied for sure.

Since you already restarted both application, as well as entire server, and in case you are checking this with Admin portal, I would try to check if it is not some browser cache - try with Win+R, or different browser, or something similar. If that is still not the case, then you'll need to reach to TAC.

Kind regards,

Milos

rileyk · ‎11-17-2022

Thanks for your response Milos. I am getting this issue on the Admin portal, and it is not reflected on the Admin portal. I am checking this by viewing the certificate via the browser. I have tried using three different machines, chrome and firefox in both regular and incognito modes with no change in behavior.

I have included some screenshots to this reply that show the self-signed cert being served, but the Issued CA cert as the active.

Milos_Jovanovic · ‎11-17-2022

Based on screenshot, I can see that you are using Mozilla. I would also assume that you have at least imported your internal RootCA and all its intermediate ones into trusted store on PC. If not, you would need to import certificate chain onto your PC first.

This browser, by default, does not use PC's certificate store, and you must either import it directly under Mozilla too, or you need to configure Mozilla to use PC's store.

If you already configured this too, and certificate in use is still self-signed one (not actually visible on previous screenshot, as you would need to click View certificate and confirm that it is self-signed one), you already did everything you can to check it, and next logical step is Cisco TAC.

Kind regards,

Milos

rileyk · ‎11-17-2022

I did click the "View Certificate" and verified it is the self-signed one, but did not include that screenshot, my bad. I have tried what you recommended with no luck, so at this point I think I will need to work with TAC. Thank you for your help!