Solved: Re: ISE 2.6 - Certificet doesn't update

Niklas.D · ‎04-16-2020

Hello

So on our Guest Protal we are runing a Cert, and we just updated it.

If you go to Administration -> Certificates -> System Certificets and see it there.

But if you as a guest client access our portal you will see the old Certificet

i have rebooted the servers.

any ides?

Greg Gibbs · ‎05-27-2020

Do you have a load balancer sitting in front of the PSNs? The only time I've seen this same scenario in the past is when a customer had a load balancer that was breaking the SSL and replacing the cert before sending it to the client.

If there's no load balancer, please provide more information about your environment such as number of PSNs, patch level, etc.

Confirm that all PSNs are showing syncronised on the Administration > System > Deployment page.

Did you use the "Portal test URL" option suggested by @Anurag Sharma to confirm which certificate is presented?

View solution in original post

Colby LeMaire · ‎04-16-2020

When you added the new certificate, did you assign the proper certificate portal group tag to it? You can also double check your Guest portal configuration to ensure it is still configured to use the correct portal group tag.

Anurag Sharma · ‎04-16-2020

Hi @Niklas.D ,

Can you please double check the tag on the new certificate (as @Colby LeMaire mentioned) ?

Can you please do a Test Portal URL and check which certificate it's showing?

How many nodes do you have and on which patch on 2.6?

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Niklas.D · ‎05-26-2020

Sorry for the late replay as Corona hit the need to drive this case was dimnish, yes i have assaigned the correct tag on it.

Guest Portal, and also the Portal has the same selected.

Greg Gibbs · ‎05-27-2020

Do you have a load balancer sitting in front of the PSNs? The only time I've seen this same scenario in the past is when a customer had a load balancer that was breaking the SSL and replacing the cert before sending it to the client.

If there's no load balancer, please provide more information about your environment such as number of PSNs, patch level, etc.

Confirm that all PSNs are showing syncronised on the Administration > System > Deployment page.

Did you use the "Portal test URL" option suggested by @Anurag Sharma to confirm which certificate is presented?

Niklas.D · ‎06-26-2020

There was a Citrix loadbalancer,

and the system hade not syncronised !

thank you for the help!

Madura Malwatte · ‎05-27-2020

For the PSN that is presenting the guest portal, if you go to System Certificates page, for this specific PSN does it show the correct certificate and is it assigned the correct tag? Could you have updated the certificate on the admin node, but not on the psn node that is presenting the portal? I would suggest as a test to re-add the certificate again.

Recently, on ISE 2.6 I updated a public wildcard certificate used for guest and admin portals, and it showed all nodes with the new cert, but one of my psn's that had the guest portal was still presenting the old certificate. I can't remember exactly what I did, but it might have been the application restart on this psn was taking a long time due to the same cert being used by the admin portal.