cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4506
Views
5
Helpful
11
Replies

CPAM certificate_expired

Sergey Muravjev
Level 1
Level 1

Some of our customers use an access control system based on Cisco Physical Access Manager 1.3, 1.4

From Thursday / Friday (07.19.2018 - 07.20.2018) with CPAM global problems have begun.
All Cisco Physical Access Gateway controllers are no longer connected to the CPAM server.
The following is written in the /opt/cisco/cpam/logs/cpsm.log:

 

Thread-26 ERROR comm-comm.TransportContext: Error In Completing The SSL Handshake. Exception: Received fatal alert: certificate_expired
Thread-26 ERROR deviceconfig-config.GwConnStateListener: Error in handing gatewayConnectionReset ip = 10.2.120.21 and port = 1.311

 

where 10.2.120.21 0 the IP addresses of the controller / controllers with which there are problems.

 

As I understand, by mistake there is some problem with the ssl certificate, more precisely with its validity.
not finding the information on the solution had to solve bypass - disabling the ssl connection between the server and the controller.

I understand that the problem should already be known. since at least three clients showed up.

Tell me how to solve it the right way?

1 Accepted Solution

Accepted Solutions

Raghav-Rao
Cisco Employee
Cisco Employee

Hey,

 

we have fix for the CPAM server, you can find the script - https://software.cisco.com/download/home/282089927/type/282463808/release/1.5.3

 

Please go though the Readme file from zip as per your CPAM deployment follow the procedure.

 

This fix addressed the CPAM SSL certificate expired issue.

***STANDALONE*** server patch deployment instructions:
===========================================
1. ftp/winscp the certificate.zip to the ICPAM server as cpamadmin user
2. ssh to server as cpamadmin
3. # sudo su -
4. # cd /home/cpamadmin
5. # unzip certificate.zip
6. # cd certpatch
7. # bash certificate_update.sh
* IF any issues persist plesae go to web admin console > monitoring > click stop on the server and then start.

 

Ensure to backup server config and events before performing these activity.

 

Regards,

Raghav.

View solution in original post

11 Replies 11

Raghav-Rao
Cisco Employee
Cisco Employee

Hey,

 

we have fix for the CPAM server, you can find the script - https://software.cisco.com/download/home/282089927/type/282463808/release/1.5.3

 

Please go though the Readme file from zip as per your CPAM deployment follow the procedure.

 

This fix addressed the CPAM SSL certificate expired issue.

***STANDALONE*** server patch deployment instructions:
===========================================
1. ftp/winscp the certificate.zip to the ICPAM server as cpamadmin user
2. ssh to server as cpamadmin
3. # sudo su -
4. # cd /home/cpamadmin
5. # unzip certificate.zip
6. # cd certpatch
7. # bash certificate_update.sh
* IF any issues persist plesae go to web admin console > monitoring > click stop on the server and then start.

 

Ensure to backup server config and events before performing these activity.

 

Regards,

Raghav.

We haven't active service contracts for download this script.

Can you do it public?

Your account team should be able to get this for you.

Thank you, this was helpful and I believe it worked. What is the best way to verify this was successful? Is there a way to view the updated SSL certificate in the CLI or in the web interface?

Hey zshelefka, question about the patch. After you ran it, did you have to restart the server or services or does it just patch it and you're good to go?
Thanks!

The patch should restart services for you. If you're having any issues, please start and stop services from the web interface

All the services restarted on their own after applying the patch.

In the web interface, you can click on the insecure warning and view the certificate. If the patch was successful, you will see that the new cert expires in 2028

Thank you, the patch worked.

Hi, I tried download with my account and getting below error. 

Ciscoweb.JPG

engmouafy
Level 1
Level 1

Hello guys,

 

I need the firmware for cpam gateway and it is no longer available on Cisco,

ciac-gw-sw-k9-1.5.3_0.3.6.bin - appreciate if you can support

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: