Solved: Re: CDO and device certificate

kostasthedelegate · ‎02-03-2021

Hello,

I am trying to onboard an ASA device in CDO.

I get the error

Certificate could not be retrieved for IPADDRESS:PORT

To which certificate it refers to?
How could I change it?

Rob Ingram · ‎02-03-2021

Are you permitting http access from the CDO networks to the outside interface?

Example (the address below are the EU CDO servers):

http 35.157.12.126 255.255.255.255 outside
http 35.157.12.15 255.255.255.255 outside
http server enable 8443

View solution in original post

Rob Ingram · ‎02-03-2021

@kostasthedelegate

It's referring to the certificate in use by ASDM for mgmt is used.

In my experience the ASA's self-signed certificate or a public signed certificate works, but a certificate issued by an internal CA (i.e. Windows CA) does not work.

kostasthedelegate · ‎02-03-2021

Ok But I use the ethernet port 1/1 that has a public IP to connect to CDO.

I do not use the management port

What should I do?

Rob Ingram · ‎02-03-2021

Are you permitting http access from the CDO networks to the outside interface?

Example (the address below are the EU CDO servers):

http 35.157.12.126 255.255.255.255 outside
http 35.157.12.15 255.255.255.255 outside
http server enable 8443

kostasthedelegate · ‎02-03-2021

I had put these ones

52.25.109.29, 52.34.234.2, 52.36.70.147

I added the ones you mentioned but still I get the same

kostasthedelegate · ‎02-03-2021

The certificate in ASA exists by default or I have to create it somehow?

Rob Ingram · ‎02-03-2021

Yes, it should have a self-signed certificate.

Do you have a trustpoint enabled on the outside interface?

Have you enable the certificate on the correct port and configured in CDO using the correct port (as configured on the ASA)?

ssl trust-point TP OUTSIDE

Run a packet capture and confirm traffic is being received.

kostasthedelegate · ‎02-03-2021

Thanks for the help @Rob Ingram

It seems the issue was with the access on HTTP management.

I allowed everything temporarily and it worked.