Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5308
Views
5
Helpful
11
Replies

CPAM certificate_expired

Go to solution
Sergey Muravjev
Level 1
Level 1

‎07-24-2018 12:21 AM

Some of our customers use an access control system based on Cisco Physical Access Manager 1.3, 1.4

From Thursday / Friday (07.19.2018 - 07.20.2018) with CPAM global problems have begun.
All Cisco Physical Access Gateway controllers are no longer connected to the CPAM server.
The following is written in the /opt/cisco/cpam/logs/cpsm.log:

 

Thread-26 ERROR comm-comm.TransportContext: Error In Completing The SSL Handshake. Exception: Received fatal alert: certificate_expired
Thread-26 ERROR deviceconfig-config.GwConnStateListener: Error in handing gatewayConnectionReset ip = 10.2.120.21 and port = 1.311

 

where 10.2.120.21 0 the IP addresses of the controller / controllers with which there are problems.

 

As I understand, by mistake there is some problem with the ssl certificate, more precisely with its validity.
not finding the information on the solution had to solve bypass - disabling the ssl connection between the server and the controller.

I understand that the problem should already be known. since at least three clients showed up.

Tell me how to solve it the right way?

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Raghav-Rao
Cisco Employee
Cisco Employee

‎07-24-2018 12:42 AM

Hey,

 

we have fix for the CPAM server, you can find the script - https://software.cisco.com/download/home/282089927/type/282463808/release/1.5.3

 

Please go though the Readme file from zip as per your CPAM deployment follow the procedure.

 

This fix addressed the CPAM SSL certificate expired issue.

***STANDALONE*** server patch deployment instructions:
===========================================
1. ftp/winscp the certificate.zip to the ICPAM server as cpamadmin user
2. ssh to server as cpamadmin
3. # sudo su -
4. # cd /home/cpamadmin
5. # unzip certificate.zip
6. # cd certpatch
7. # bash certificate_update.sh
* IF any issues persist plesae go to web admin console > monitoring > click stop on the server and then start.

 

Ensure to backup server config and events before performing these activity.

 

Regards,

Raghav.

View solution in original post

11 Replies 11

Go to solution
Raghav-Rao
Cisco Employee
Cisco Employee

‎07-24-2018 12:42 AM

Hey,

 

we have fix for the CPAM server, you can find the script - https://software.cisco.com/download/home/282089927/type/282463808/release/1.5.3

 

Please go though the Readme file from zip as per your CPAM deployment follow the procedure.

 

This fix addressed the CPAM SSL certificate expired issue.

***STANDALONE*** server patch deployment instructions:
===========================================
1. ftp/winscp the certificate.zip to the ICPAM server as cpamadmin user
2. ssh to server as cpamadmin
3. # sudo su -
4. # cd /home/cpamadmin
5. # unzip certificate.zip
6. # cd certpatch
7. # bash certificate_update.sh
* IF any issues persist plesae go to web admin console > monitoring > click stop on the server and then start.

 

Ensure to backup server config and events before performing these activity.

 

Regards,

Raghav.

Go to solution
Sergey Muravjev
Level 1
Level 1
In response to Raghav-Rao

‎07-24-2018 12:53 AM

We haven't active service contracts for download this script.

Can you do it public?

0 Helpful

Go to solution
Michael Solomonides
Cisco Employee
Cisco Employee
In response to Sergey Muravjev

‎07-26-2018 01:10 PM

Your account team should be able to get this for you.
0 Helpful

Go to solution
zshelefka
Level 1
Level 1
In response to Raghav-Rao

‎07-27-2018 11:28 AM - edited ‎07-27-2018 11:28 AM

Thank you, this was helpful and I believe it worked. What is the best way to verify this was successful? Is there a way to view the updated SSL certificate in the CLI or in the web interface?

0 Helpful

Go to solution
Nicholas Hood
Level 1
Level 1
In response to zshelefka

‎07-27-2018 01:50 PM

Hey zshelefka, question about the patch. After you ran it, did you have to restart the server or services or does it just patch it and you're good to go?
Thanks!
0 Helpful

Go to solution
Michael Solomonides
Cisco Employee
Cisco Employee
In response to Nicholas Hood

‎07-27-2018 02:18 PM

The patch should restart services for you. If you're having any issues, please start and stop services from the web interface

0 Helpful

Go to solution
zshelefka
Level 1
Level 1
In response to Nicholas Hood

‎07-28-2018 06:10 PM

All the services restarted on their own after applying the patch.
0 Helpful

Go to solution
Michael Solomonides
Cisco Employee
Cisco Employee
In response to zshelefka

‎07-27-2018 02:17 PM

In the web interface, you can click on the insecure warning and view the certificate. If the patch was successful, you will see that the new cert expires in 2028
0 Helpful

Go to solution
zshelefka
Level 1
Level 1
In response to Michael Solomonides

‎07-28-2018 06:09 PM

Thank you, the patch worked.

0 Helpful

Go to solution
p.marinceu
Level 1
Level 1
In response to Raghav-Rao

‎08-20-2018 01:40 AM

Hi, I tried download with my account and getting below error. 

Ciscoweb.JPG

0 Helpful

Go to solution
engmouafy
Level 1
Level 1

‎08-06-2023 08:40 AM

Hello guys,

 

I need the firmware for cpam gateway and it is no longer available on Cisco,

ciac-gw-sw-k9-1.5.3_0.3.6.bin - appreciate if you can support

0 Helpful
Customers Also Viewed These Support Documents