08-21-2023 09:03 AM
Hello community,
I'm currently building a new ISE-deployment and the Admin-Portal certificates are giving me headaches. Hopefully someone also had this issue and was able to resolve it.
The new setup is based on 3.2 Patch3. Somehow I'm not able to set any other certificate then the self-signed one which is generated right after first-time setup of the server. Tried deleting the cert, creating a new self-signed, rebooting the server, start/stop of the application, import of a new one from an external CA. No matter what, the self-signed one is still there.
Any ideas? or logfile locations where to maybe find a clue?
Best regards
Stefan
10-18-2023 10:12 AM
Same problem. 3.2 P3.
In the GUI, ISE shows my PKI cert having the Admin role. However, in my web browser, the Self Signed initial cert is displayed. Rebooting the server does not correct the issue. The Self Signed says "not in use" in ISE, but is indeed the one displayed when checking the cert in the browser.
10-18-2023 03:38 PM
@steeda - it appears the problem happens for ISE SNS nodes that are using bonded interfaces. If you have a bonded interface, then remove the backup member interface and that should fix it. Of course it's not a long-term issue. I don't have this particular problem because I don't use SNS servers. Perhaps you can then add the backup interface back in again after the cert is confirmed to be in use.
10-18-2023 03:41 PM
My ISE install is VM based. No bonds. Exact same symptom.
10-18-2023 03:48 PM
As it happens, yesterday and today I have been building new ISE 3.2 VMs using ZTP (with patch 3 streamlined into the install) and I have no issues with Admin certs. I created CSRs on each new node and bind it only to the Admin role. And each time the node services restart as expected. I then register each node to the new PAN. No dramas at all. What am I doing right ?
10-18-2023 03:51 PM
01-02-2024 02:09 AM
same here:
ISE 3.2 Patch 4 on VM, no Bonding
under "Administration -> System -> Certificates" it shows correct, but the Browser shows the old Cert
I did a reload, no change
01-02-2024 09:27 AM
Cisco has to fix it via root. LOL that they didn't fix this in Patch 4. Never change, Cisco.
01-03-2024 09:31 AM
I could fix it for me:
I had in the Interface Config "ipv6 enable" and "ipv6 autoconfig"
I removed this, changed admin Cert to ISE internal CA, made "application stop ISE" and "application start ISE".
this was taking very long, I did a reload, taking very long too, but finally the Cert has changed, now I could switch the admin function to the desired CA, and now Services restarted as expected
01-14-2024 06:51 PM - edited 01-14-2024 06:54 PM
I'm having the same issue. I disabled the IPV6 stuff you mentioned then reloaded ISE (did not switch certs prior to reloading). Now ISE wont start. This is a brand new install. All i did was join it to the domain, then attempted to update the cert and now i'm where i am... likely looking at a rebuild all because the cert wont take. We did hit this problem in prod with the 3755 due to nic teaming. The current install is in Vmware so no NIC bonding and a single node. Knowing what i know now i will be very nervous updating the certs in prod. If it fails all auth/authz will fail. Is it just me or is ISE supper buggy?
01-14-2024 08:10 PM - edited 01-14-2024 08:13 PM
It isn't just you. Cisco CCIE's will respond here telling you it's....you.... they're wrong. The fact is ISE remains one of the most bug ridden platforms in the history of IT. Only UCCX is worse.
Open a Sev 1 TAC case and DEMAND they fix you.
01-04-2024 02:03 AM
verified on my Prod-Cluster (2 SNS Server):
removed ipv6 config and I could change Admin Cert without any Problems
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide