Re: Unable to import server certificate to FMC - Page 2

lyutov_dv · ‎11-09-2017

hi
I'm trying to import server certifacate issued by our corporate CA to FMC, but i always get error "Unable to verify certificate."

In /var/log/httpd/httpsd_error_log i see errors:

[Thu Nov 09 08:59:37.040550 2017] [cgi:error] [pid 27221] [client 10.12.91.238:33111] AH01215: No such file or directory:/etc/sf/crl.conf at /usr/local/sf/lib/perl/5.10.1/SF/X509Certificates.pm line 919.: /usr/local/sf/htdocs/admin/https_cert.cgi, referer: https://fmc.isd.lamoda.tech/admin/https_cert.cgi
[Thu Nov 09 08:59:37.040652 2017] [cgi:error] [pid 27221] [client 10.12.91.238:33111] AH01215: (Unable to verify certificate.) in /usr/local/sf/htdocs/admin/https_cert.cgi:163 at /usr/local/sf/lib/perl/5.10.1/SF.pm line 120.: /usr/local/sf/htdocs/admin/https_cert.cgi, referer: https://fmc.isd.lamoda.tech/admin/https_cert.cgi

I checked directory /etc/sf/ and there is no crl.conf in it.

What might be a reason?

Richard Krug · ‎12-07-2017

I'm using OpenSSL for this. In OpenSSL, I have a config file:

/root/ca/intermediate/openssl.cnf

This file has the following extension block, in which I find basicConstraints:

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
#basicConstraints = CA:FALSE
basicConstraints = critical, CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = <REMOVED>
authorityInfoAccess = OCSP;URI:<REMOVED>

I prepended "critical," and save the file.

When signing the CSR with OpenSSL, I used this command:

openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/fmc.mydomain.net.csr.pem -out intermediate/certs/fmc.mydomain.net.cert.pem

I was then able to import the certificate.

tmoore · ‎02-14-2018

I'm having this same issue and after modifying the cert to use basicConstraints = critical, CA:FALSE, I was able to import the certificate without getting the "unable to verify certificate" error message. But after the import I still don't see the new cert under HTTPS Certificate; even after a reboot I still only show the self signed cert as the current https server cert. What am I missing?

rolszowy · ‎02-14-2018

This sounds like a question for TAC, but what you can do is to go to expert mode and manually check /etc/ssl/server.* files.

I’m assuming that they were not replaced. In that case you can manually edit them and paste identity certificate and private, unencrypted key there. After that you need to restart httpsd process by:

pmtool RestartById httpsd

command.

From that point, management interface should display this new certificate.

Regards,

Raden

mikael.lahtela · ‎02-14-2018

I noticed today that in some cases it won't give you an error but not importing the SSL certificate either if something is still wrong with it.
I finally managed to import the certificate, but still need to solve some issues to make it valid for browsers, going to take a look at this tomorrow and try to write it down.
I think FMC needs more error checking on the SSL import tool.

br, Micke

randomfortune · ‎02-22-2018

I had the same problem where it would finally take the certs without error, but would continue to show the old one. I went and checked the config file via the CLI under /etc/httpd/ssl_certificates.conf

and noticed there were different values loaded to the SSLCertificateFile and SSLCertificateKeyFile fields. I cleared the old values and replaced them with the following:

SSLCertificateFile /etc/ssl/server.crt

SSLCertificateKeyFile /etc/ssl/server.key

Restart the httpsd service with this command to enforce the new values: pmtool RestartByID httpsd

argrullo · ‎02-22-2018

Hello Everyone,

As some of you have mentioned, the current behavior is a bug. It was not actually fixed on 6.2.2.1.

I have resolved this issue for other customer by performing the import of the certificate thru the CLI.

The steps are not complicated, but they are not intuitive either. It will be required to have a certificate, and the private key used for that certificate.

The below steps are used when creating a new certificate and private key thru the cli.

If you have a cert and private key from an Internal CA, then you could copy and paste that information into two files.

vi /etc/ssl/InternalCACertificate.crt

vi /etc/ssl/InternalCAKey.key

Then you can move to around step 6.

CSCvf42713- cannot import web UI HTTPS server certificate on Firepower Management Center or 7000/8000 Series

The workaround that needs to be performed is below.

admin@Luna:~$ cd Mark/ <---------- Create Directory to use a temporary stage area
admin@Luna:~/Mark$ ls
admin@Luna:~/Mark$ openssl genrsa -out server.key 2048 <------------ Creating the private key that will be used to generate the CSR and the certificate.
Generating RSA private key, 2048 bit long modulus
.........................
......
e is 65537 (0x10001)
admin@Luna:~/Mark$ openssl req -out CSR.csr -key server.key -new -sha256 <------------ Creating the CSR with the private key created in the previous step. Fill out information for the CSR. This CSR can be used to create a certificate from your internal CA. If using your own CA to generate the certificate, then after you generate the certificate, copy the information in to a file named server.key.new. Then skip to step 4.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Code []:
State or Province Name []:
Locality Name []:
Organization Name []:
Organizational Unit Name []:
Common Name []:
Email Address []:
admin@Luna:~/Mark$ ls
CSR.csr server.key

admin@Luna:~/Mark$ openssl x509 -signkey server.key -in CSR.csr -req -days 365 -out cert.crt -sha256 <-------------- Creating a self signed certificate from the CSR and the private key.
Signature ok

admin@Luna:~/Mark$ sudo mv server.key /etc/ssl/server.key.new <---------- Moving server key to the required location
Password:
Last login: Fri Dec 29 17:04:52 UTC 2017

admin@Luna:~/Mark$ sudo mv cert.crt /etc/ssl/server.crt.new <----------Moving server certificate to the required location.
Last login: Fri Dec 29 17:07:04 UTC 2017 on pts/1
admin@Luna:~/Mark$ ls
CSR.csr
admin@Luna:~/Mark$ cd /etc/ssl
admin@Luna:/etc/ssl$ ls
TAC.key crl openssl.cnf server.conf server.crt server.crt.new server.crt.older server.key server.key.new

admin@Luna:/etc/ssl$ sudo mv server.crt ./server.crt.original <----------Changing the name on the original server certificate
Last login: Fri Dec 29 17:07:35 UTC 2017 on pts/1

admin@Luna:/etc/ssl$ sudo mv server.key ./server.key.original <----------Changing the name on the original server private key
Last login: Fri Dec 29 17:08:20 UTC 2017 on pts/1
admin@Luna:/etc/ssl$ ls

TAC.key crl openssl.cnf server.conf server.crt.new server.crt.older server.crt.original server.key.new server.key.original

admin@Luna:/etc/ssl$ sudo mv server.crt.new ./server.crt <-------------Changing the name on the new server certificate.
Last login: Fri Dec 29 17:08:37 UTC 2017 on pts/1

admin@Luna:/etc/ssl$ sudo mv server.key.new ./server.key <------------ Changing the name on the new server key
Last login: Fri Dec 29 17:09:05 UTC 2017 on pts/1

admin@Luna:/etc/ssl$ sudo pmtool restartbyid httpsd <-----------Restarting the httpsd process so it reload the certificate.
Last login: Fri Dec 29 17:09:19 UTC 2017 on pts/1

tmoore · ‎02-23-2018

This process work for me!