Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1697
Views
35
Helpful
2
Replies

ISE upgrade - Import the valid https certificate of the same to ...

kevinrfinley
Level 1
Level 1

‎03-10-2022 07:16 AM

During a GUI upgrade from ISE 2.3 to ISE 2.7, we encountered an error of:

 

"STEP 3: Validating data before upgrade...
% Warning: Could not connect to new deployment Primary as its certificate is not trusted or valid. Import the valid https certificate of the same to current Primary node's certificate store."

 

Our environment consists of two ISE VMs (ISE0 and ISE1) functioning as Primary and Secondary nodes. The upgrade completed successfully on the secondary Admin node (ISE1) and then attempted to process the upgrade on the primary Admin node (ISE0) as automated within the GUI. The ISE1 node assumed the roles of Primary Admin and Primary Monitor, of course. 

 

Exactly which "https certificate" is this error referring to? I am assuming this is a simple fix by exporting a particular certificate from the node being upgraded (ISE0) and importing it into the current Primary node (ISE1). I just don't know exactly which certificate this should be. Any thoughts?

1 person had this problem
2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-10-2022 09:00 AM

% Warning: Could not connect to new deployment Primary as its certificate is not trusted or valid. Import the valid https certificate of the same to current Primary node's certificate store."

-I would verify that the certificate chain of the identity certs issued and used for your respective ISE nodes are imported in the trust store, make sure that all are valid and not expired too.  Lastly, to possibly gain more insight you can login to the failed node cli and run: $ show logging system ade/ADE.log 

That log file may provide further detail to assist you with your troubleshooting journey.  HTH!

kevinrfinley
Level 1
Level 1
In response to Mike.Cifelli

‎03-10-2022 11:56 AM

Thank you for your thoughts and advice on this.

 

I'm beginning to think the issue may be related to the expired "Default self-signed server certificate" within the Trusted Certificates store. I was not able to delete this certificate before performing the upgrade process and it seems Cisco TAC must be engaged to assist in doing this via SSH into the ISE server. Unfortunately, we discovered there is no current valid Cisco support contract so we are not able to move forward. We hope to procure the support contract quickly as it seems running an ISE 2.3 and an ISE 2.7 server simultaneously is not healthy. 

Customers Also Viewed These Support Documents