cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1491
Views
5
Helpful
10
Replies

CPAM certificate_expired

Some of our customers use an access control system based on Cisco Physical Access Manager 1.3, 1.4

From Thursday / Friday (07.19.2018 - 07.20.2018) with CPAM global problems have begun.
All Cisco Physical Access Gateway controllers are no longer connected to the CPAM server.
The following is written in the /opt/cisco/cpam/logs/cpsm.log:

 

Thread-26 ERROR comm-comm.TransportContext: Error In Completing The SSL Handshake. Exception: Received fatal alert: certificate_expired
Thread-26 ERROR deviceconfig-config.GwConnStateListener: Error in handing gatewayConnectionReset ip = 10.2.120.21 and port = 1.311

 

where 10.2.120.21 0 the IP addresses of the controller / controllers with which there are problems.

 

As I understand, by mistake there is some problem with the ssl certificate, more precisely with its validity.
not finding the information on the solution had to solve bypass - disabling the ssl connection between the server and the controller.

I understand that the problem should already be known. since at least three clients showed up.

Tell me how to solve it the right way?

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: CPAM certificate_expired

Hey,

 

we have fix for the CPAM server, you can find the script - https://software.cisco.com/download/home/282089927/type/282463808/release/1.5.3

 

Please go though the Readme file from zip as per your CPAM deployment follow the procedure.

 

This fix addressed the CPAM SSL certificate expired issue.

***STANDALONE*** server patch deployment instructions:
===========================================
1. ftp/winscp the certificate.zip to the ICPAM server as cpamadmin user
2. ssh to server as cpamadmin
3. # sudo su -
4. # cd /home/cpamadmin
5. # unzip certificate.zip
6. # cd certpatch
7. # bash certificate_update.sh
* IF any issues persist plesae go to web admin console > monitoring > click stop on the server and then start.

 

Ensure to backup server config and events before performing these activity.

 

Regards,

Raghav.

10 REPLIES 10
Cisco Employee

Re: CPAM certificate_expired

Hey,

 

we have fix for the CPAM server, you can find the script - https://software.cisco.com/download/home/282089927/type/282463808/release/1.5.3

 

Please go though the Readme file from zip as per your CPAM deployment follow the procedure.

 

This fix addressed the CPAM SSL certificate expired issue.

***STANDALONE*** server patch deployment instructions:
===========================================
1. ftp/winscp the certificate.zip to the ICPAM server as cpamadmin user
2. ssh to server as cpamadmin
3. # sudo su -
4. # cd /home/cpamadmin
5. # unzip certificate.zip
6. # cd certpatch
7. # bash certificate_update.sh
* IF any issues persist plesae go to web admin console > monitoring > click stop on the server and then start.

 

Ensure to backup server config and events before performing these activity.

 

Regards,

Raghav.

Re: CPAM certificate_expired

We haven't active service contracts for download this script.

Can you do it public?

Cisco Employee

Re: CPAM certificate_expired

Your account team should be able to get this for you.
Beginner

Re: CPAM certificate_expired

Thank you, this was helpful and I believe it worked. What is the best way to verify this was successful? Is there a way to view the updated SSL certificate in the CLI or in the web interface?

Highlighted
Beginner

Re: CPAM certificate_expired

Hey zshelefka, question about the patch. After you ran it, did you have to restart the server or services or does it just patch it and you're good to go?
Thanks!
Cisco Employee

Re: CPAM certificate_expired

The patch should restart services for you. If you're having any issues, please start and stop services from the web interface

Beginner

Re: CPAM certificate_expired

All the services restarted on their own after applying the patch.
Cisco Employee

Re: CPAM certificate_expired

In the web interface, you can click on the insecure warning and view the certificate. If the patch was successful, you will see that the new cert expires in 2028
Beginner

Re: CPAM certificate_expired

Thank you, the patch worked.

Beginner

Re: CPAM certificate_expired

Hi, I tried download with my account and getting below error. 

Ciscoweb.JPG

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.