06-21-2020 07:20 PM
Hi all,
I recently renewed some SSL Certs for my ASA5506x devices. I am now getting an error (repeatedly) which claims that the verification of a cert chain is failing. However I cannot for the life of me find the certificate that it is referencing.
The error as it appears in the logs is here:
%ASA-3-717009: Certificate validation failed. No suitable trustpoints found to validate certificate serial number: 0509, subject name: cn=QuoVadis Root CA 2,o=QuoVadis Limited,c=BM, issuer name: cn=QuoVadis Root CA 2,o=QuoVadis Limited,c=BM . %ASA-3-717009: Certificate validation failed. No suitable trustpoints found to validate certificate serial number: 7517167783D0437EB556C357946E4563B8EBD3AC, subject name: cn=HydrantID SSL ICA G2,o=HydrantID (Avalanche Cloud Corporation),c=US, issuer name: cn=QuoVadis Root CA 2,o=QuoVadis Limited,c=BM . %ASA-3-717009: Certificate validation failed. No suitable trustpoints found to validate certificate serial number: 3000683B0F7504F7B244B3EA7FC00927E960D735, subject name: cn=tools.cisco.com,o=Cisco Systems\, Inc.,l=San Jose,st=CA,c=US, issuer name: cn=HydrantID SSL ICA G2,o=HydrantID (Avalanche Cloud Corporation),c=US . %ASA-3-717027: Certificate chain failed validation. No suitable trustpoint was found to validate chain.
Using the CLI to find all the certs gives this result (sanitised slightly)
Result of the command: "show crypto ca certificate" Certificate Status: Available Certificate Serial Number: 08ad6b3eddbe00d59a801a9b3f57c3b5 Certificate Usage: General Purpose Public Key Type: RSA (2048 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: cn=DigiCert SHA2 Secure Server CA o=DigiCert Inc c=US Subject Name: cn=*.mydomain.com o=Company l=city st=state c=AU OCSP AIA: URL: http://ocsp.digicert.com CRL Distribution Points: [1] http://crl3.digicert.com/ssca-sha2-g6.crl [2] http://crl4.digicert.com/ssca-sha2-g6.crl Validity Date: start date: 10:00:00 EST Jun 19 2020 end date: 22:00:00 EST Jul 29 2022 Storage: config Associated Trustpoints: 2020_renewal_01 Certificate Status: Available Certificate Serial Number: 0ed637ed96cd9eac13e0bf319a9d338b Certificate Usage: General Purpose Public Key Type: RSA (2048 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: cn=DigiCert SHA2 Secure Server CA o=DigiCert Inc c=US Subject Name: cn=*.mydomain.com o=Company l=city st=state c=AU OCSP AIA: URL: http://ocsp.digicert.com CRL Distribution Points: [1] http://crl3.digicert.com/ssca-sha2-g6.crl [2] http://crl4.digicert.com/ssca-sha2-g6.crl Validity Date: start date: 10:00:00 EST May 15 2018 end date: 22:00:00 EST Jun 24 2020 Storage: config Associated Trustpoints: ASDM_TrustPoint10 Certificate Status: Available Certificate Serial Number: 079992f6d6a4b6d5f770f0cca02be1d6 Certificate Usage: General Purpose Public Key Type: RSA (2048 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: cn=DigiCert SHA2 Secure Server CA o=DigiCert Inc c=US Subject Name: cn=*.mydomain.com o=Company l=location st=state c=AU OCSP AIA: URL: http://ocsp.digicert.com CRL Distribution Points: [1] http://crl3.digicert.com/ssca-sha2-g6.crl [2] http://crl4.digicert.com/ssca-sha2-g6.crl Validity Date: start date: 11:00:00 EDT Feb 20 2018 end date: 22:00:00 EST May 30 2018 Storage: config Associated Trustpoints: ASDM_TrustPoint5 CA Certificate Status: Available Certificate Serial Number: 083be056904246b1a1756ac95991c74a Certificate Usage: Signature Public Key Type: RSA (2048 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=DigiCert Global Root CA ou=www.digicert.com o=DigiCert Inc c=US Subject Name: cn=DigiCert Global Root CA ou=www.digicert.com o=DigiCert Inc c=US Validity Date: start date: 11:00:00 EDT Nov 10 2006 end date: 11:00:00 EDT Nov 10 2031 Storage: config Associated Trustpoints: ASDM_TrustPoint11 ASDM_TrustPoint1 CA Certificate Status: Available Certificate Serial Number: 01fda3eb6eca75c888438b724bcfbc91 Certificate Usage: Signature Public Key Type: RSA (2048 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: cn=DigiCert Global Root CA ou=www.digicert.com o=DigiCert Inc c=US Subject Name: cn=DigiCert SHA2 Secure Server CA o=DigiCert Inc c=US OCSP AIA: URL: http://ocsp.digicert.com CRL Distribution Points: [1] http://crl3.digicert.com/DigiCertGlobalRootCA.crl [2] http://crl4.digicert.com/DigiCertGlobalRootCA.crl Validity Date: start date: 23:00:00 EDT Mar 8 2013 end date: 23:00:00 EDT Mar 8 2023 Storage: config Associated Trustpoints: 2020_renwal ASDM_TrustPoint7 ASDM_TrustPoint10 ASDM_TrustPoint9 ASDM_TrustPoint0 CA Certificate Status: Available Certificate Serial Number: 6ecc7aa5a7032009b8cebcf4e952d491 Certificate Usage: General Purpose Public Key Type: RSA (2048 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=VeriSign Class 3 Public Primary Certification Authority - G5 ou=(c) 2006 VeriSign\, Inc. - For authorized use only ou=VeriSign Trust Network o=VeriSign\, Inc. c=US Subject Name: cn=VeriSign Class 3 Secure Server CA - G3 ou=Terms of use at https://www.verisign.com/rpa (c)10 ou=VeriSign Trust Network o=VeriSign\, Inc. c=US OCSP AIA: URL: http://ocsp.verisign.com CRL Distribution Points: [1] http://crl.verisign.com/pca3-g5.crl Validity Date: start date: 11:00:00 EDT Feb 8 2010 end date: 10:59:59 EDT Feb 8 2020 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA
You will hopefully agree that the certificate it's complaining about above is not listed, hence my confusion.
Thanks!
06-21-2020 11:21 PM
I suspect smart call-home has been enabled.That happens via https and requires you trust the Cisco certificate and its issuing and root CA.
Your errors include a failure to trust
tools.cisco.com
...and the issuing and root certificate above it. You can either disable SCH ("no service call-home") or add the necessary certificate and chain of trust. Details for the latter option can be found here:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: