cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2169
Views
5
Helpful
10
Replies
Highlighted

CPAM certificate_expired

Some of our customers use an access control system based on Cisco Physical Access Manager 1.3, 1.4

From Thursday / Friday (07.19.2018 - 07.20.2018) with CPAM global problems have begun.
All Cisco Physical Access Gateway controllers are no longer connected to the CPAM server.
The following is written in the /opt/cisco/cpam/logs/cpsm.log:

 

Thread-26 ERROR comm-comm.TransportContext: Error In Completing The SSL Handshake. Exception: Received fatal alert: certificate_expired
Thread-26 ERROR deviceconfig-config.GwConnStateListener: Error in handing gatewayConnectionReset ip = 10.2.120.21 and port = 1.311

 

where 10.2.120.21 0 the IP addresses of the controller / controllers with which there are problems.

 

As I understand, by mistake there is some problem with the ssl certificate, more precisely with its validity.
not finding the information on the solution had to solve bypass - disabling the ssl connection between the server and the controller.

I understand that the problem should already be known. since at least three clients showed up.

Tell me how to solve it the right way?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hey,

 

we have fix for the CPAM server, you can find the script - https://software.cisco.com/download/home/282089927/type/282463808/release/1.5.3

 

Please go though the Readme file from zip as per your CPAM deployment follow the procedure.

 

This fix addressed the CPAM SSL certificate expired issue.

***STANDALONE*** server patch deployment instructions:
===========================================
1. ftp/winscp the certificate.zip to the ICPAM server as cpamadmin user
2. ssh to server as cpamadmin
3. # sudo su -
4. # cd /home/cpamadmin
5. # unzip certificate.zip
6. # cd certpatch
7. # bash certificate_update.sh
* IF any issues persist plesae go to web admin console > monitoring > click stop on the server and then start.

 

Ensure to backup server config and events before performing these activity.

 

Regards,

Raghav.

View solution in original post

10 REPLIES 10
Highlighted
Cisco Employee

Hey,

 

we have fix for the CPAM server, you can find the script - https://software.cisco.com/download/home/282089927/type/282463808/release/1.5.3

 

Please go though the Readme file from zip as per your CPAM deployment follow the procedure.

 

This fix addressed the CPAM SSL certificate expired issue.

***STANDALONE*** server patch deployment instructions:
===========================================
1. ftp/winscp the certificate.zip to the ICPAM server as cpamadmin user
2. ssh to server as cpamadmin
3. # sudo su -
4. # cd /home/cpamadmin
5. # unzip certificate.zip
6. # cd certpatch
7. # bash certificate_update.sh
* IF any issues persist plesae go to web admin console > monitoring > click stop on the server and then start.

 

Ensure to backup server config and events before performing these activity.

 

Regards,

Raghav.

View solution in original post

Highlighted

We haven't active service contracts for download this script.

Can you do it public?

Highlighted

Your account team should be able to get this for you.
Highlighted

Thank you, this was helpful and I believe it worked. What is the best way to verify this was successful? Is there a way to view the updated SSL certificate in the CLI or in the web interface?

Highlighted

Hey zshelefka, question about the patch. After you ran it, did you have to restart the server or services or does it just patch it and you're good to go?
Thanks!
Highlighted

The patch should restart services for you. If you're having any issues, please start and stop services from the web interface

Highlighted

All the services restarted on their own after applying the patch.
Highlighted

In the web interface, you can click on the insecure warning and view the certificate. If the patch was successful, you will see that the new cert expires in 2028
Highlighted

Thank you, the patch worked.

Highlighted

Hi, I tried download with my account and getting below error. 

Ciscoweb.JPG