Re: ERROR (SSL Routing, SSL_GET_SERVER_CERTIFICATE, Certificate verification failed

VamsiKrishna · ‎09-10-2019

Hello Everyone,

We are using ISE version 2.3.0.298 patch 6,7 in virtual environment. We are trying to do TC-NAC from ISE GUI with AMP cloud but it show error "ERROR: while trying to connect to AMP cloud " in vendor instance while trying to connect AMP. When we checked the log in ISE using “show logging container tc-nac container-name <InstanceName> log-name adapter.log tail” command it show error "[Get clouds received RequestException ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)].

Help us to solve this issue.

Arne Bier · ‎09-11-2019

TC-NAC is a bit of a special beast. I have not done one myself, but there is a nice write up about getting comms working between ISE and a TC-NAC third-party vendor.

You may have missed the part where you have to install the CA cert chain of your TC-NAC service that ISE is connecting to (AMP in this case)

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/200974-Configure-ISE-2-2-Threat-Centric-NAC-TC.html

VamsiKrishna · ‎09-12-2019

Thank for the reply.

But we are using Cisco AMP in our scenario. In Cisco AMP we can't generate certificate, we have a self-signed certificate in ISE.
is there any other way we can solve this issue ?

networksumo · ‎07-16-2020

Did you ever get a resolution for this issue?