Yep did that...

Sent from my iPhone

Thx ... but the error did not look like a certificate error. Also it’s on the same node ( it’s a lab poc)

Dom

Sent from my iPhone

Hey Dominic,

Ensure that everything is FQDN resolvable,  If still having issues, unicast me directly.

Thanks,

John

jeppich@cisco.com

Just to close the loop on this thread. Spoke to Paul off-line.  Re-issued external CA cert for both the ISE pxGrid node and FMC, re-booted FMC.  FMC was able to successfully connect and register.

Thanks,

John

jeppich@cisco.com

Like John said. We were able to make it work.

Today I tried the same in a production environment and encounter another issue. Multiple things might be wrong.

1. In ISE the customer has a distributed deployment. I decided to use the admin node for pxgrid.

2. ISE has certs already installed using an external CA for Admin, Portal, etc (not for pxgrid). The decided decided to use their internal MS CA to generate the pxgrid cert so I generated the CSR and exported it so that the customer could generate the cert. That worked fine. I had to import the Root CA from this internal MS CA into ISE and after that I had to import bind the cert for the admin node, secondary node and monitoring node.

3. In FMC I exported the cert and private key using CLI and using the same MS CA we generated the cert which I uploaded into FMC under Internal Certs and after that I uploaded the root CA from the internal MS CA inside Trusted CAs.

Up to this point in ISE we had the other external CA being used for admin, portal, etc and the new Cert from the internal MS CA just for pxgrid. I am doing it right so far?

In FMC the certs were signed by the same MS CA and the root cert was uploaded. No issues.

When I tried to add ISE as the Identity Store in FMC using the selected certs I got a failure. It seems that when FMC tries to connect to ISE it is hitting the other cert instead of the ones we created in Microsoft, check the logs below:

Primary host:

test: ISE connection.

Preparing ISE Connection objects...

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: pxgrid connection init done successfully

Preparing subscription objects...

Connecting to ISE server...

Beginning to connect to ISE server...

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: _reconnection_thread starts

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: connecting to host 10.81.2.200 .......

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: stream opened

Starting SSL Handshake, SSL state:before/connect initialization

Completed SSL Handshake, SSL state: SSL negotiation finished successfully

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: EXTERNAL authentication complete

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: authenticated successfully (sasl mechanism: EXTERNAL)

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: pxgrid_connection_connect: Connected. host=10.81.2.200

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: Controller version: 1.0.3.38

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: Account approved

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: successfully subscribed

Captured Jabberwerx log:2018-05-02T18:21:22 [    INFO]: successfully subscribed

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: successfully subscribed

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: successfully subscribed

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: _on_connect called

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: successfully subscribed

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: successfully subscribed

Queried 2 bulk download hostnames:SVLPISE.xxxx.com:8910, SVSMISE.xxxx.com:8910

...successfully connected to ISE server.

Starting bulk download

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: curl_easy_setopt() for CURLOPT_URL: 'https://SVLPISE.xxxx.com:8910/pxgrid/mnt/sd/getSessionListByTime'

Starting SSL Handshake, SSL state:before/connect initialization

Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x744F483C1394D140CADBA3B21DC49F8D', issued by 'C = US, ST = VA, L = Herndon, O = Network Solutions L.L.C., CN = Network Solutions OV Server CA 2', to 'C = GT, postalCode = 4004, ST = Guatemala, L = Guatemala, street = Diagonal 6 10-01 zona 10, O = Administracion de Datos, OU = ADATSA, OU = Secure Link SSL Wildcard, CN = *.xxxx.com'

...because SSL negotiation encountered error: self signed certificate in certificate chain

...while validating this entry in the certificate chain: Certificate with Serial Number '0x01', issued by 'C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root', to 'C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root'

Sending SSL alert:unknown CA

Sending SSL alert:close notify

Captured Jabberwerx log:2018-05-02T18:21:23 [   ERROR]: curl_easy_perform() failed: (60) Peer certificate cannot be authenticated with given CA certificates at file build/gcl/src/pxgrid_bulkdownload_curl.c line 240

bulk download iter next failed REST errorPeer certificate cannot be authenticated with given CA certificates

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: curl_easy_setopt() for CURLOPT_URL: 'https://SVSMISE.xxxx.com:8910/pxgrid/mnt/sd/getSessionListByTime'

Starting SSL Handshake, SSL state:before/connect initialization

Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x744F483C1394D140CADBA3B21DC49F8D', issued by 'C = US, ST = VA, L = Herndon, O = Network Solutions L.L.C., CN = Network Solutions OV Server CA 2', to 'C = GT, postalCode = 4004, ST = Guatemala, L = Guatemala, street = Diagonal 6 10-01 zona 10, O = Administracion de Datos, OU = ADATSA, OU = Secure Link SSL Wildcard, CN = *.xxxx.com'

...because SSL negotiation encountered error: self signed certificate in certificate chain

...while validating this entry in the certificate chain: Certificate with Serial Number '0x01', issued by 'C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root', to 'C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root'

Sending SSL alert:unknown CA

Sending SSL alert:close notify

Captured Jabberwerx log:2018-05-02T18:21:23 [   ERROR]: curl_easy_perform() failed: (60) Peer certificate cannot be authenticated with given CA certificates at file build/gcl/src/pxgrid_bulkdownload_curl.c line 240

bulk download iter next failed REST errorPeer certificate cannot be authenticated with given CA certificates

Failed to validate bulk download.

disconnecting pxgrid

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: _reconnection_thread exits

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: stream closed; err_dom=(null)

2018-05-02T18:21:23 [    INFO]: _on_disconnect called

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: Event loop exit. status=1

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]:  destroying client ...

Captured Jabberwerx log:2018-05-02T18:21:23 [    INFO]: pxgrid_connection_disconnect completes

Any comments on that?

Additionally I found that the timezone is not configured correctly in ISE and in FMC. The hostname in FMC is also not configured right. We will fix that.

Any sugesstion on why FMC is getting the other cert instead of the one configured for pxgrid?

Where is that wildcard cert running? Is it the admin GUI cert on the monitoring node? FMC talks to pxGrid and MNT via REST.

The wildcard is running in the Admin node and the rest of the nodes in ISE. The admin node is separate from the monitoring node.

But is the wildcard node running the Admin use case on all nodes? If so you need to load that root CA into FMC.

That is why the MNT Server CA has its own entry.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Hey Paul,

If the customer in a productional deployment is using external CA for all nodes, than you don't wan to use the internal CA.

Let me know your availability early next week and i will setup a webex.

Thanks,

John

cell: 240-447-3937