ISE Admin certificate is not updated - Page 2

asdf6 · ‎08-21-2023

Hello community,

I'm currently building a new ISE-deployment and the Admin-Portal certificates are giving me headaches. Hopefully someone also had this issue and was able to resolve it.

The new setup is based on 3.2 Patch3. Somehow I'm not able to set any other certificate then the self-signed one which is generated right after first-time setup of the server. Tried deleting the cert, creating a new self-signed, rebooting the server, start/stop of the application, import of a new one from an external CA. No matter what, the self-signed one is still there.

Any ideas? or logfile locations where to maybe find a clue?

Best regards
Stefan

steeda · ‎10-18-2023

Same problem. 3.2 P3.

In the GUI, ISE shows my PKI cert having the Admin role. However, in my web browser, the Self Signed initial cert is displayed. Rebooting the server does not correct the issue. The Self Signed says "not in use" in ISE, but is indeed the one displayed when checking the cert in the browser.

Arne Bier · ‎10-18-2023

@steeda - it appears the problem happens for ISE SNS nodes that are using bonded interfaces. If you have a bonded interface, then remove the backup member interface and that should fix it. Of course it's not a long-term issue. I don't have this particular problem because I don't use SNS servers. Perhaps you can then add the backup interface back in again after the cert is confirmed to be in use.

steeda · ‎10-18-2023

My ISE install is VM based. No bonds. Exact same symptom.

Arne Bier · ‎10-18-2023

As it happens, yesterday and today I have been building new ISE 3.2 VMs using ZTP (with patch 3 streamlined into the install) and I have no issues with Admin certs. I created CSRs on each new node and bind it only to the Admin role. And each time the node services restart as expected. I then register each node to the new PAN. No dramas at all. What am I doing right ?

steeda · ‎10-18-2023

I think the better question is....what are we doing wrong? It's a checkbox. Check Admin. Hit Save.

No CCIE level skill required here....

gaigl · ‎01-02-2024

same here:

ISE 3.2 Patch 4 on VM, no Bonding

under "Administration -> System -> Certificates" it shows correct, but the Browser shows the old Cert

I did a reload, no change

steeda · ‎01-02-2024

Cisco has to fix it via root. LOL that they didn't fix this in Patch 4. Never change, Cisco.

gaigl · ‎01-03-2024

I could fix it for me:

I had in the Interface Config "ipv6 enable" and "ipv6 autoconfig"

I removed this, changed admin Cert to ISE internal CA, made "application stop ISE" and "application start ISE".

this was taking very long, I did a reload, taking very long too, but finally the Cert has changed, now I could switch the admin function to the desired CA, and now Services restarted as expected

ryanbess · ‎01-14-2024

I'm having the same issue. I disabled the IPV6 stuff you mentioned then reloaded ISE (did not switch certs prior to reloading). Now ISE wont start. This is a brand new install. All i did was join it to the domain, then attempted to update the cert and now i'm where i am... likely looking at a rebuild all because the cert wont take. We did hit this problem in prod with the 3755 due to nic teaming. The current install is in Vmware so no NIC bonding and a single node. Knowing what i know now i will be very nervous updating the certs in prod. If it fails all auth/authz will fail. Is it just me or is ISE supper buggy?

steeda · ‎01-14-2024

It isn't just you. Cisco CCIE's will respond here telling you it's....you.... they're wrong. The fact is ISE remains one of the most bug ridden platforms in the history of IT. Only UCCX is worse.

Open a Sev 1 TAC case and DEMAND they fix you.

gaigl · ‎01-04-2024

verified on my Prod-Cluster (2 SNS Server):

removed ipv6 config and I could change Admin Cert without any Problems