cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
469
Views
0
Helpful
4
Replies

Error to validate a pxGrid certificate in FMC

Hello,

I create a pxGrid certificate in ISE following this URL (https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-32/220856-configure-and-troubleshoot-ise-3-2-with.html#toc-hId--1225537032).

When I tried to add the internal cert in FMC I got this error:

"Failed to validate Cert Based EO: System (/usr/bin/sudo /usr/bin/openssl rsa -outform pem -inform pem -in /tmp/Sp3Kkt49CV -passin file:/tmp/5ZbeyQmSDf -out /tmp/XKD_szJlF6) Failed"

Anyone has an idea?

Thanks.

 

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

When you generated the certificate from ISE did you do it without a CSR? How did you then import it into FMC?

Thank you for your response Marvin,

Yes I generate the certificate from ISE without a CSR like the info in the link. The certificate was downloaded in my pc and from the FMC I was able to import the cert and the private key.

I generate again the pxgrid certificates in ISE and this time the FMC was able to recognize and accept the cert.

I added the trusted root CA too and when I configured the integration with ISE in FMC the test failed with this error:

Primary host:
[INFO]: PXGrid v2 is enabled
[ERROR]: HttpsStringRequest on_handshake error: 337047686: certificate verify failed
[ERROR]: HttpsStringRequest SSL error: 2024-08-19 14:48:12(GMT): Starting SSL Handshake, SSL state:before SSL initialization
2024-08-19 14:48:12(GMT): SSL State:before SSL initialization
2024-08-19 14:48:12(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:12(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:12(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:13(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:13(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:13(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:13(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:13(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:13(GMT): SSL State:SSLv3/TLS read server hello
2024-08-19 14:48:13(GMT): Entering OpenSSL verify callback, preverified:0, error: self signed certificate in certificate chain, error depth: 3, current_cert: Certificate with Serial Number '0x0AF966010CFE4D8E9C19D737749986B6', issued by 'CN = Certificate Services Root CA - ISE-NR-1', to 'CN = Certificate Services Root CA - ISE-NR-1'
2024-08-19 14:48:13(GMT): Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x6B294AD7C32F40DABB04B35A36B40977', issued by 'CN = Certificate Services Endpoint Sub CA - ISE-NR-1', to 'OU = ISE Messaging Service, CN = ISE-NR-1.domain.com'
...because SSL negotiation encountered error: self signed certificate in certificate chain
...while validating this entry in the certificate chain: Certificate with Serial Number '0x0AF966010CFE4D8E9C19D737749986B6', issued by 'CN = Certificate Services Root CA - ISE-NR-1', to 'CN = Certificate Services Root CA - ISE-NR-1'
2024-08-19 14:48:13(GMT): Sending SSL alert:unknown CA
2024-08-19 14:48:13(GMT): SSL State:error
[ERROR]: Performing request failed with a timeout.
[ERROR]: Failed to contact pxGrid node at 'w.x.y.z': Request failed with a timeout.

I have to say that testing ping betwen ISE and FMC is sucesfully and the time configuration is good.

It seems to be a problem with the certificate. What coud be the error and timeout issue?

Thanks.

Your network connectivity is good.

Make sure that the certificate you add and select for the MnT server and pxGrid server is the "Certificate Services Root CA - ISE-NR-1".

FMC needs to trust that and, once it does, the SSL/TLS handshake should succeed.

Thank you Marvin,

I took the correct root certificate and now when doing the test I advanced a little more. Now this message appears:

Primary host:
[INFO]: PXGrid v2 is enabled
[INFO]: pxgrid 2.0: account activate succeeded
[ERROR]: HttpsStringRequest on_handshake error: 337047686: certificate verify failed
[ERROR]: HttpsStringRequest SSL error: 2024-08-19 16:00:19(GMT): Starting SSL Handshake, SSL state:before SSL initialization
2024-08-19 16:00:19(GMT): SSL State:before SSL initialization
2024-08-19 16:00:19(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:19(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:19(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:19(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:19(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:19(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:19(GMT): SSL State:SSLv3/TLS read server hello
2024-08-19 16:00:19(GMT): Entering OpenSSL verify callback, preverified:0, error: self signed certificate in certificate chain, error depth: 3, current_cert: Certificate with Serial Number '0x3CE95BCC2309400F9459CEA361858338', issued by 'CN = Certificate Services Root CA - ISE-NR-1', to 'CN = Certificate Services Root CA - ISE-NR-1'
2024-08-19 16:00:19(GMT): Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x07D9534357EE420CBADFE71C8F7A22F3', issued by 'CN = Certificate Services Endpoint Sub CA - ISE-NR-2', to 'OU = Certificate Services System Certificate, CN = ISE-NR-2.cardoniv.com'
...because SSL negotiation encountered error: self signed certificate in certificate chain
...while validating this entry in the certificate chain: Certificate with Serial Number '0x3CE95BCC2309400F9459CEA361858338', issued by 'CN = Certificate Services Root CA - ISE-NR-1', to 'CN = Certificate Services Root CA - ISE-NR-1'
2024-08-19 16:00:19(GMT): Sending SSL alert:unknown CA
2024-08-19 16:00:19(GMT): SSL State:error
[ERROR]: Performing request failed with a timeout.
[ERROR]: connection to ISE-NR-2.domain.com:8910 fails: Request failed with a timeout.
[INFO]: Successful connection to ISE-NR-1.domain.com:8910
[INFO]: These ISE Services are up: SessionDirectory, SXP, EndpointProfile, SecurityGroups, AdaptiveNetworkControl
[INFO]: All requested ISE Services are online.

Secondary host:
[INFO]: PXGrid v2 is enabled
[ERROR]: HttpsStringRequest on_handshake error: 337047686: certificate verify failed
[ERROR]: HttpsStringRequest SSL error: 2024-08-19 16:00:32(GMT): Starting SSL Handshake, SSL state:before SSL initialization
2024-08-19 16:00:32(GMT): SSL State:before SSL initialization
2024-08-19 16:00:32(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:32(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:32(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:32(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:32(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:32(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:32(GMT): SSL State:SSLv3/TLS read server hello
2024-08-19 16:00:32(GMT): Entering OpenSSL verify callback, preverified:0, error: self signed certificate in certificate chain, error depth: 3, current_cert: Certificate with Serial Number '0x3CE95BCC2309400F9459CEA361858338', issued by 'CN = Certificate Services Root CA - ISE-NR-1', to 'CN = Certificate Services Root CA - ISE-NR-1'
2024-08-19 16:00:32(GMT): Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x07D9534357EE420CBADFE71C8F7A22F3', issued by 'CN = Certificate Services Endpoint Sub CA - ISE-NR-2', to 'OU = Certificate Services System Certificate, CN = ISE-NR-2.cardoniv.com'
...because SSL negotiation encountered error: self signed certificate in certificate chain
...while validating this entry in the certificate chain: Certificate with Serial Number '0x3CE95BCC2309400F9459CEA361858338', issued by 'CN = Certificate Services Root CA - ISE-NR-1', to 'CN = Certificate Services Root CA - ISE-NR-1'
2024-08-19 16:00:32(GMT): Sending SSL alert:unknown CA
2024-08-19 16:00:32(GMT): SSL State:error
[ERROR]: Performing request failed with a timeout.
[ERROR]: Failed to contact pxGrid node at 'w.x.y.z': Request failed with a timeout.

What could be happen? 

Review Cisco Networking for a $25 gift card