PxGrid client using self signed certificate rejected by ISE 3.0

alexlev2004 · ‎11-02-2021

Hello,

I am trying to access the ISE 3.0 running the below example:

https://github.com/cisco-pxgrid/pxgrid-rest-ws/blob/master/python/session_query_all.py

The connection is rejected by ISE (verified with tcpdump sniffer) and it sounds like a self-signed cert is not welcome , but according to past experience it could be some other mistake as well.

Getting following logs from the python code:

urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)>

Q1: How can we look at live auth logs of the ISE 3.0 ?

Q2: Can it be that the self signed certs should be explicitly allowed anywhere in the settings ? The Root CA and CA are defined as trusted in the appliance.

Q3: Any tips for troubleshooting from your past experience ?

Your help is highly appreciated ,

Thanks

Alex

hslai · ‎11-03-2021

Please provide info how the self-signed cert is generated.

In ISE 3.0, we may use the menu search feature to search on diag and pick > Administration > pxGrid Services

Then, select Log in the left side-panel.

A self-signed cert should work with pxGrid.

alexlev2004 · ‎11-07-2021

Hi,

The certificates are generated by ISE 3.0 via the specified menu.
It has FQDN (not resolvable) and AltName with IP address.
Is that error seen whenever FQDN is not resolvable ?

Thank you
Alex

hslai · ‎11-07-2021

See CSCvu63918

The self-signed certificates generated in ISE (up to ISE 3.0) has the field Netscape Cert Type, which is no longer supported for pxGrid use.

alexlev2004 · ‎11-08-2021

Hi,
Thanks for the suggestion, but I tried to work around it by issuing a new
certificate from PxGrid UI with the PxGrid template. Below is the cert
(anonymised) and there is no the suggested extension anymore... Any
additional suggestions?
Thanks!

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7b:3a:de:1f:54:78:4f:c4:87:20:78:43:ba:3c:19:81
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Certificate Services Endpoint Sub CA - ise3
Validity
Not Before: Nov 6 14:37:42 2021 GMT
Not After : Nov 7 14:37:42 2023 GMT
Subject: CN = ise3.COMPANY.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c2:ff:f2:31:67:02:ee:e0:35:41:ab:ad:43:87:
c4:0e:0c:69:a9:e5:28:00:97:2f:ac:c3:4a:f4:12:
0a:6b:db:a9:77:19:44:7f:51:05:68:ed:db:9c:b5:
2b:03:6b:24:7d:a3:b0:7a:22:c2:b1:b6:d7:e3:2b:
ad:12:52:4c:13:f1:ad:d2:33:e5:98:74:30:af:72:
d2:ba:7f:ab:bc:ff:f4:2f:18:87:9e:de:d5:27:43:
12:61:ad:2b:bd:f7:21:f7:38:f0:55:b5:37:ed:b4:
18:f4:72:e2:82:bb:0f:d8:85:f2:f3:d9:5e:28:17:
e7:ee:2f:67:fb:55:a7:0b:11:8d:56:9b:f6:74:31:
21:f7:3c:f3:13:b5:f4:66:37:c9:0b:84:5a:99:8d:
ba:99:75:48:0d:ef:fa:d7:fb:68:97:12:9b:c0:52:
02:a2:e1:52:31:af:01:a3:ea:f2:94:19:20:42:b7:
23:1a:a6:b8:0c:ea:a8:d1:6a:af:cc:f5:47:da:16:
11:c0:de:af:a0:87:ee:ed:98:e4:d4:72:98:36:85:
f6:d2:57:5d:50:de:02:3b:71:dd:e5:22:ae:30:2d:
ce:8a:7c:59:a6:f2:7d:45:71:fa:95:bd:47:74:ed:
d7:dd:f5:ab:01:04:76:72:bf:f8:52:8b:e7:9d:4d:
07:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name: critical
IP Address:192.168.SOME.ADDRESS
1.3.6.1.4.1.9.21.2.5:
..pxGrid_Certificate_Template
X509v3 Authority Key Identifier:

keyid:B2:2F:DE:B7:1A:D9:DB:7B:1C:7D:9A:F5:85:4B:DC:A3:73:C5:60:34
DirName:/CN=Certificate Services Node CA - ise3
serial:4F:BB:4D:D4:F0:5C:45:11:9F:43:8F:26:53:75:35:E4

X509v3 Subject Key Identifier:
5A:8A:16:78:9F:1D:A9:42:80:89:18:62:71:05:15:A4:96:41:E8:02
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
82:ef:4f:64:4a:35:0a:0b:5c:66:da:48:1b:80:5c:3f:79:c0:
c2:fc:d7:6d:6b:4c:86:66:cf:d8:ca:89:71:99:13:74:f2:2a:
03:d5:8c:be:35:68:2b:bc:bc:b3:d9:28:66:80:e0:df:0e:d2:
65:2c:88:c0:06:45:b1:3b:32:13:a1:e1:93:0c:b8:60:93:9a:
6f:f8:87:06:f1:db:1a:a5:b3:d5:9e:a3:d2:f1:d4:ae:07:0a:
84:1d:e7:e5:e8:0f:e8:2e:ec:4a:a2:41:69:66:27:00:de:91:
b1:75:b7:7b:2e:ab:13:0e:a3:ab:92:53:8c:d9:e3:d6:c0:6e:
e4:d1:f6:86:35:3c:de:ab:35:4c:93:5c:21:af:c8:01:7f:ad:
0f:00:a2:61:9f:f4:55:89:cc:f0:9c:ea:30:21:cd:81:11:86:
75:92:8c:1a:25:ab:b3:04:a6:85:ae:61:71:cf:f9:ad:d4:4d:
2d:15:d7:7b:12:5b:a9:d8:09:12:68:bf:52:85:1e:dd:ce:74:
1e:41:a2:ba:90:c2:2c:d4:22:b4:8d:df:e1:ce:94:76:31:17:
d7:ac:88:56:f2:ee:93:51:cf:dc:b6:2a:a4:97:c5:09:05:fc:
e4:55:e8:74:58:a3:fa:ac:da:8e:78:39:bf:68:bf:54:4a:fa:
35:d9:f2:26:99:32:a1:79:db:3d:66:18:56:da:88:e6:08:1f:
a4:f0:36:48:86:d6:c7:64:23:49:99:4f:a9:77:0a:35:ce:23:
d0:78:5a:69:87:d1:0f:c7:98:57:7f:48:77:01:47:ac:de:cf:
5b:57:87:90:f2:7b:47:9f:f5:0d:f1:d9:42:c5:c7:1a:b4:6b:
16:be:b6:63:27:8c:53:bd:00:ec:85:8e:a6:c5:85:4a:37:7a:
bb:1a:23:42:c9:c0:fd:86:7a:01:62:85:c8:80:0c:72:d1:fb:
9b:11:1f:36:b4:fc:af:d0:73:4a:54:e9:ff:59:2f:37:90:de:
cf:ad:94:84:67:01:8d:62:e7:51:20:8a:f0:5e:70:1c:b8:c3:
16:0c:3c:b1:7c:ad:65:d2:91:46:0e:3d:52:36:27:7d:15:0e:
65:35:29:79:ee:df:eb:87:da:91:5c:1a:c6:7d:10:1c:a2:ff:
2d:49:5a:f5:fb:58:fd:71:65:fe:94:11:d2:2d:a1:c7:fb:63:
95:18:4a:79:47:97:39:2d:4d:54:ec:4a:fb:9a:c8:52:3c:72:
75:3d:a0:02:d5:36:a0:01:5e:d4:9b:42:fa:87:39:07:48:b0:
ea:7e:b7:c0:4c:ed:bd:8f:82:4a:ed:3b:84:25:42:67:8c:08:
a1:eb:04:f9:5b:34:2b:67

hslai · ‎11-08-2021

Is the subscribe request working? Below is an example how to make the request:

python3 session_subscribe.py -a myIsePXG -n myPxgClient1 -c /path/to/myPxg_.cer -k /path/to/myPxg_.key -p myClientKeyPass -s /path/to/CertificateServicesRootCA-myIsePXG_.cer

alexlev2004 · ‎11-09-2021

The subscribe request is working with basic authentication (user/password)
Certificates are rejected ,
can it be with reason "self signed" due to FQDN not resolvable for CN while
there is AltCN = IP ?