cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1559
Views
0
Helpful
4
Replies
Highlighted
Beginner

ACS 5.4 - invalid management certificate, GUI is not accessible

Hello all,

by my fault, I've set invalid management certificate. So, the GUI became unaccessible right after reboot of the mgmt service.

Mozila Firefox is reporting "Certificate type not approved for application (Error code: sec_error_inadequate_cert_type)"

IE tells "IE cannot display the webpage"

(both browsers asked for security exception because of new cert)

I went to acs-config mode and tried to reset the certificate by "reset-management-interface-certificate" command, but it failed:

Resetting ACS Management Interface Certificate...

Failed to Reset Management Interface Certificate.

See the logs for more details.

==> /opt/CSCOacs/logs/acsRuntime.log <==

PKILogic,04/03/2014,18:06:09:474,ERROR,3081878416,cntx=0000000460,PKILogic::onGenerateSelfSignedCertificateEx2Request: MD5 digest is not supported,PKILogic.cpp:359

Then I tried "acs restore", but it didn't solve the problem neither, invalid certificate is still there  :-(

Any idea how to solve it?

Thanks

P.S.: the version is: 5.4.0.46.5

Everyone's tags (2)
4 REPLIES 4
Cisco Employee

ACS 5.4 - invalid management certificate, GUI is not accessible

Try this:

reset-management-interface-certificate

To reset the management interface certificate to a default self-signed certificate, use the reset-management-interface-certificate command in the ACS Configuration mode. Only the super admin and system admin can run this command.

Command Reference:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/command/reference/cli/cli_app_a.html#wp2063454

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin Katyal
Beginner

ACS 5.4 - invalid management certificate, GUI is not accessible

Hi Jatin,

I actually did that, but it failed:

Resetting ACS Management Interface Certificate...

Failed to Reset Management Interface Certificate.

See the logs for more details.

(The log is attached in my initial post)

Thanks for your reply.

Hi, I am unable to to log

Hi, I am unable to to log onto my GUI even though I successfully ran reset-management-interface-certificate command in the ACS Configuration mode twice. In acsRuntime.log I have errors like :

When I manually created a certificate

ERROR PKILogic::onGenerateSelfSignedCertificateEx2Request:Generation failed ; error=Invalid certificate subject DN length,PKILogic.cpp:378Eap, 07/03/2014 18:05:165,WARN ,3010931616,NIL-CONTEXT,configureCTL = Failed to initializeCTL,EapConfigObjectBase.cpp:335

When I ran the reset certificate CLI command

ERROR, 3056110496,NIL-CONTEXT,DeviceAttrFactory::createAttrValue with marker = " .DeviceAttrFactory.cpp:29 Shellprofile, 07/03/2014

 

When I attempt to use the GUI.... ERROR,2954697632,onException - reason activemq::to::SocketInputStream::read - The connection is broken; state connected; stack trace: activemq::io::SocketInputStream::read - The connection is broken

 

Will a restore help?

Beginner

Hi Stuart,that's good point,

Hi Stuart,

that's good point, the "restore" maybe could solve it, but I haven't made full backup before :-(

And "acs restore" didn't fix the problem for me.

I had to re-install the ACS at the end:

1) application remove acs
2) application install ACS_5.4.0.46.0a.tar.gz "repository"    (tftp repository doesn't work)
3) acs patch install 5-4-0-46-6.tar.gpg repository "repository"
4) acs restore backup.tar.gpg repository "repository"

Regards