Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4790
Views
22
Helpful
12
Replies

ISE 3.1 certificate issue

Go to solution
Dustin Anderson
VIP
VIP

‎12-13-2022 07:18 AM

I do have a TAC open, but want to see if anyone has an idea while I'm waiting.

So, we use a public COMODO cert for our portals. I just got the renewed cert and went to install it last weekend. With the new cert, all portals load with:

This site can’t provide a secure connection

ise-t.whatever.com uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH
 
I thought maybe the cert, or key was incorrect, so I put the old cert back and the portals worked.
 
Monday, I spun up a test VM same as production of 3.1 patch 4. I started with the new cert and the portals worked, but then changing to the old cert caused the same error. But, changing back to the new did not correct it, so I'm guessing I got lucky in prod that the old cert took.
 
I'm currently downloading patch 5 to try on the test, but don't see any bugs related that it could be.
 
My thoughts are it could be due to it being a renewal and they both use the same key. Testing this is a pain since it's a public cert and we would have to revoke and do a new CSR to test.
 
Any suggestions would be appreciated. I have about 10 days until my cert dies.
1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP
In response to Dustin Anderson

‎12-13-2022 08:50 AM

 

                  - FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc64480

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

12 Replies 12

Go to solution
marce1000
VIP
VIP

‎12-13-2022 08:16 AM

 

             - What error do you get in Firefox ?

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Dustin Anderson
VIP
VIP
In response to marce1000

‎12-13-2022 08:36 AM

basically the same.

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to Dustin Anderson

‎12-13-2022 08:50 AM

 

                  - FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc64480

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Dustin Anderson
VIP
VIP
In response to marce1000

‎12-13-2022 09:44 AM - edited ‎12-13-2022 10:08 AM

Thanks, that seems to be the bug. weird part is I tried rebooting yesterday and still had the issue, but seems to be working today. Only difference is I added patch 5 to the test node.

I'm going to restore it back to patch 4 and see if rebooting still works, will tell me if I have to also install patch 5 on my production before it works or not.

Go to solution
dubeyshivprakash09
Level 1
Level 1
In response to marce1000

‎12-26-2022 11:08 PM

@marce1000 wrote:

 

                  - FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc64480

 Pls confirm how I can download expired certificate from Cisco.

 

0 Helpful

Go to solution
dubeyshivprakash09
Level 1
Level 1
In response to dubeyshivprakash09

‎12-26-2022 11:11 PM

Just want to download expired ccie security written exam certificate

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

‎12-13-2022 11:24 AM

ok, not crazy. On 3.1 patch 4, the reboot workaround does not work. Applying patch 5 and verifying that still works.

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

‎12-13-2022 11:47 AM

Ok, patch 5 kicked in the new cert, so it appears to be the bug, with the caveat of needing patch 5 for the workaround to work. Will have to fix production this weekend.

Go to solution
EU UC Support
Level 4
Level 4
In response to Dustin Anderson

‎05-09-2023 10:26 AM

Hey Dustin, we're currently hit with the bug but on the report is only mentions we need to "reload ISE server". Do you know if this is all of the nodes? Just the PSNs?

Thanks

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

‎05-09-2023 10:37 AM - edited ‎05-09-2023 10:41 AM

If you are on patch 5+, I believe the reboot should work. without 5 reboot did not fix the issue. The issue is with renewal, so could also maybe regenerate a completely new cert, but not sure.

 

I would suspect all nodes, but we just have a 2 node deployment, so can't verify that myself.

0 Helpful

Go to solution
Sri Harsha Dasari
Spotlight
Spotlight

‎05-30-2023 07:20 PM

I had the same issue, moved portal certificate to another cert(admin/default), then deleted old and new portal certs.
Now reloaded PSN's and then PAN. Now, imported the new certificate back. Then it took the new certificate and is working fine.

Thanks, Sri.
0 Helpful

Go to solution
tomhoed
Level 1
Level 1

‎07-04-2024 02:56 AM

We had the same issue on ISE 3.2 Patch 4

Followed the same procedure as Sri:
Moved guest portal certificate group to the default
deleted old (and new) portal certificates
reboot PSN1 (show application status to check functionality, all running >> OK), reboot PSN2
Upload new guest portal certificates with a new group
Link new cert group to guest portal


0 Helpful
Customers Also Viewed These Support Documents