Re: Error to validate a pxGrid certificate in FMC

LuigiDiFronzo9542 · ‎08-19-2024

Hello,

I create a pxGrid certificate in ISE following this URL (https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-32/220856-configure-and-troubleshoot-ise-3-2-with.html#toc-hId--1225537032).

When I tried to add the internal cert in FMC I got this error:

"Failed to validate Cert Based EO: System (/usr/bin/sudo /usr/bin/openssl rsa -outform pem -inform pem -in /tmp/Sp3Kkt49CV -passin file:/tmp/5ZbeyQmSDf -out /tmp/XKD_szJlF6) Failed"

Anyone has an idea?

Thanks.

Marvin Rhoads · ‎08-19-2024

When you generated the certificate from ISE did you do it without a CSR? How did you then import it into FMC?

LuigiDiFronzo9542 · ‎08-19-2024

Thank you for your response Marvin,

Yes I generate the certificate from ISE without a CSR like the info in the link. The certificate was downloaded in my pc and from the FMC I was able to import the cert and the private key.

I generate again the pxgrid certificates in ISE and this time the FMC was able to recognize and accept the cert.

I added the trusted root CA too and when I configured the integration with ISE in FMC the test failed with this error:

Primary host:
[INFO]: PXGrid v2 is enabled
[ERROR]: HttpsStringRequest on_handshake error: 337047686: certificate verify failed
[ERROR]: HttpsStringRequest SSL error: 2024-08-19 14:48:12(GMT): Starting SSL Handshake, SSL state:before SSL initialization
2024-08-19 14:48:12(GMT): SSL State:before SSL initialization
2024-08-19 14:48:12(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:12(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:12(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:13(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:13(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:13(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:13(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:13(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 14:48:13(GMT): SSL State:SSLv3/TLS read server hello
2024-08-19 14:48:13(GMT): Entering OpenSSL verify callback, preverified:0, error: self signed certificate in certificate chain, error depth: 3, current_cert: Certificate with Serial Number '0x0AF966010CFE4D8E9C19D737749986B6', issued by 'CN = Certificate Services Root CA - ISE-NR-1', to 'CN = Certificate Services Root CA - ISE-NR-1'
2024-08-19 14:48:13(GMT): Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x6B294AD7C32F40DABB04B35A36B40977', issued by 'CN = Certificate Services Endpoint Sub CA - ISE-NR-1', to 'OU = ISE Messaging Service, CN = ISE-NR-1.domain.com'
...because SSL negotiation encountered error: self signed certificate in certificate chain
...while validating this entry in the certificate chain: Certificate with Serial Number '0x0AF966010CFE4D8E9C19D737749986B6', issued by 'CN = Certificate Services Root CA - ISE-NR-1', to 'CN = Certificate Services Root CA - ISE-NR-1'
2024-08-19 14:48:13(GMT): Sending SSL alert:unknown CA
2024-08-19 14:48:13(GMT): SSL State:error
[ERROR]: Performing request failed with a timeout.
[ERROR]: Failed to contact pxGrid node at 'w.x.y.z': Request failed with a timeout.

I have to say that testing ping betwen ISE and FMC is sucesfully and the time configuration is good.

It seems to be a problem with the certificate. What coud be the error and timeout issue?

Thanks.

Marvin Rhoads · ‎08-19-2024

Your network connectivity is good.

Make sure that the certificate you add and select for the MnT server and pxGrid server is the "Certificate Services Root CA - ISE-NR-1".

FMC needs to trust that and, once it does, the SSL/TLS handshake should succeed.

LuigiDiFronzo9542 · ‎08-19-2024

Thank you Marvin,

I took the correct root certificate and now when doing the test I advanced a little more. Now this message appears:

Primary host:
[INFO]: PXGrid v2 is enabled
[INFO]: pxgrid 2.0: account activate succeeded
[ERROR]: HttpsStringRequest on_handshake error: 337047686: certificate verify failed
[ERROR]: HttpsStringRequest SSL error: 2024-08-19 16:00:19(GMT): Starting SSL Handshake, SSL state:before SSL initialization
2024-08-19 16:00:19(GMT): SSL State:before SSL initialization
2024-08-19 16:00:19(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:19(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:19(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:19(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:19(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:19(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:19(GMT): SSL State:SSLv3/TLS read server hello
2024-08-19 16:00:19(GMT): Entering OpenSSL verify callback, preverified:0, error: self signed certificate in certificate chain, error depth: 3, current_cert: Certificate with Serial Number '0x3CE95BCC2309400F9459CEA361858338', issued by 'CN = Certificate Services Root CA - ISE-NR-1', to 'CN = Certificate Services Root CA - ISE-NR-1'
2024-08-19 16:00:19(GMT): Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x07D9534357EE420CBADFE71C8F7A22F3', issued by 'CN = Certificate Services Endpoint Sub CA - ISE-NR-2', to 'OU = Certificate Services System Certificate, CN = ISE-NR-2.cardoniv.com'
...because SSL negotiation encountered error: self signed certificate in certificate chain
...while validating this entry in the certificate chain: Certificate with Serial Number '0x3CE95BCC2309400F9459CEA361858338', issued by 'CN = Certificate Services Root CA - ISE-NR-1', to 'CN = Certificate Services Root CA - ISE-NR-1'
2024-08-19 16:00:19(GMT): Sending SSL alert:unknown CA
2024-08-19 16:00:19(GMT): SSL State:error
[ERROR]: Performing request failed with a timeout.
[ERROR]: connection to ISE-NR-2.domain.com:8910 fails: Request failed with a timeout.
[INFO]: Successful connection to ISE-NR-1.domain.com:8910
[INFO]: These ISE Services are up: SessionDirectory, SXP, EndpointProfile, SecurityGroups, AdaptiveNetworkControl
[INFO]: All requested ISE Services are online.

Secondary host:
[INFO]: PXGrid v2 is enabled
[ERROR]: HttpsStringRequest on_handshake error: 337047686: certificate verify failed
[ERROR]: HttpsStringRequest SSL error: 2024-08-19 16:00:32(GMT): Starting SSL Handshake, SSL state:before SSL initialization
2024-08-19 16:00:32(GMT): SSL State:before SSL initialization
2024-08-19 16:00:32(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:32(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:32(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:32(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:32(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:32(GMT): SSL State:SSLv3/TLS write client hello
2024-08-19 16:00:32(GMT): SSL State:SSLv3/TLS read server hello
2024-08-19 16:00:32(GMT): Entering OpenSSL verify callback, preverified:0, error: self signed certificate in certificate chain, error depth: 3, current_cert: Certificate with Serial Number '0x3CE95BCC2309400F9459CEA361858338', issued by 'CN = Certificate Services Root CA - ISE-NR-1', to 'CN = Certificate Services Root CA - ISE-NR-1'
2024-08-19 16:00:32(GMT): Rejecting this certificate presented by foreign server: Certificate with Serial Number '0x07D9534357EE420CBADFE71C8F7A22F3', issued by 'CN = Certificate Services Endpoint Sub CA - ISE-NR-2', to 'OU = Certificate Services System Certificate, CN = ISE-NR-2.cardoniv.com'
...because SSL negotiation encountered error: self signed certificate in certificate chain
...while validating this entry in the certificate chain: Certificate with Serial Number '0x3CE95BCC2309400F9459CEA361858338', issued by 'CN = Certificate Services Root CA - ISE-NR-1', to 'CN = Certificate Services Root CA - ISE-NR-1'
2024-08-19 16:00:32(GMT): Sending SSL alert:unknown CA
2024-08-19 16:00:32(GMT): SSL State:error
[ERROR]: Performing request failed with a timeout.
[ERROR]: Failed to contact pxGrid node at 'w.x.y.z': Request failed with a timeout.

What could be happen?