Solved: vManage Certificate Failure

samirshaikh52 · ‎10-04-2019

Hello

I am trying to install the certificate for vManage controller but getting the following error

Failed to retrieve device data

Failed to find device with uuid null

I've tried the following methods to create a certificate but getting same error message

- Windows Server CA

- XCA

- OpenSSL

Any thoughts on this issue ?

RohitRaj03827 · ‎10-05-2019

Hi,

Use following steps for Certificate installation for vManage:-

For lab you can use openssl:-

Go to vManage CLI-->

vManage#vshell

vmanage:~$

->generate the Root CA certificate. First login to the vshell which is a Unix like shell. Login with the vshell command.

-> To Generate a Root CA key use following command :-

openssl genrsa -out ROOTCA.key 2048

->Next generate the Root CA certificate. I will generate a certificate with 5 years of validity use following command:-

openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 2000 \ -subj "/C=AU/ST=NSW/L=NSW/O=sdwan-testlab/CN=vmanage.lab" \ -out ROOTCA.pem

-> This will create a Root CA cert named ROOTCA.pem cat the file contents so you can copy and paste under

administration->settings->Enterprise Root Certificate box and click on import&Save.

-> Keep the WAN Edge Cloud Certificate Authorization method as Automated (vManage - signed Certificate). This way the vManage will automatically signed the cloud edge certs when they connect to the vManage.

->Next we need to create a CSR for the vManage. Navigate to the certificates section.

Configuration->Certificates->Controllers->vManage->click on "..."->Generate CSR.
A window will popup with the CSR text, copy that CSR text and Sign vManage generate CSR with the ROOTCA.key and ROOTCA.pem.
Back in the vshell there will be a file called vmanage_csr. Sign this file with the ROOTCA.key and ROOTCA.pem, use following command to sign the CSR with ROOCA.key and ROOTCA.pem:-
" openssl x509 -req -in vmanage_csr \ -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \ -out vmanage.crt -days 2000 -sha256"
This creates a file called vmanage.crt cat the file in order to copy and paste it into the web interface in the next step.
copy and paste the Signed CSR into the web interface in the next step.
Navigate to the certificates page and install the certificate by pasting the contents of the vmanage.crt (Signed CSR) file and click Install.
Configuration->Certificates->Controllers->vManage->Install Certificate.
You should see a success message.
---------------------------------------------------------------------------------------------

This is how you can use OpenSSL and follow the same process for Windows CA.

Let me know if you have still doubt in it. Hit Helpful button if this post has helped you.

Thanks and Regards,

Rohit Raj

Regards,
Rohit Raj

View solution in original post

RohitRaj03827 · ‎10-05-2019

Hi,

Use following steps for Certificate installation for vManage:-

For lab you can use openssl:-

Go to vManage CLI-->

vManage#vshell

vmanage:~$

->generate the Root CA certificate. First login to the vshell which is a Unix like shell. Login with the vshell command.

-> To Generate a Root CA key use following command :-

openssl genrsa -out ROOTCA.key 2048

->Next generate the Root CA certificate. I will generate a certificate with 5 years of validity use following command:-

openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 2000 \ -subj "/C=AU/ST=NSW/L=NSW/O=sdwan-testlab/CN=vmanage.lab" \ -out ROOTCA.pem

-> This will create a Root CA cert named ROOTCA.pem cat the file contents so you can copy and paste under

administration->settings->Enterprise Root Certificate box and click on import&Save.

-> Keep the WAN Edge Cloud Certificate Authorization method as Automated (vManage - signed Certificate). This way the vManage will automatically signed the cloud edge certs when they connect to the vManage.

->Next we need to create a CSR for the vManage. Navigate to the certificates section.

Configuration->Certificates->Controllers->vManage->click on "..."->Generate CSR.
A window will popup with the CSR text, copy that CSR text and Sign vManage generate CSR with the ROOTCA.key and ROOTCA.pem.
Back in the vshell there will be a file called vmanage_csr. Sign this file with the ROOTCA.key and ROOTCA.pem, use following command to sign the CSR with ROOCA.key and ROOTCA.pem:-
" openssl x509 -req -in vmanage_csr \ -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \ -out vmanage.crt -days 2000 -sha256"
This creates a file called vmanage.crt cat the file in order to copy and paste it into the web interface in the next step.
copy and paste the Signed CSR into the web interface in the next step.
Navigate to the certificates page and install the certificate by pasting the contents of the vmanage.crt (Signed CSR) file and click Install.
Configuration->Certificates->Controllers->vManage->Install Certificate.
You should see a success message.
---------------------------------------------------------------------------------------------

This is how you can use OpenSSL and follow the same process for Windows CA.

Let me know if you have still doubt in it. Hit Helpful button if this post has helped you.

Thanks and Regards,

Rohit Raj

Regards,
Rohit Raj

samirshaikh52 · ‎10-05-2019

Hi Rohit

we can continue the discussion here when specifically it is related

here is lab details and vmanage configuration

Also I have attached the diagram

For certificate I followed the steps as you mentioned and also I used OpenSSL and XCA but experienced same issue

the lab is running on EVE-NG emulator

system

host-name vManage

system-ip 10.255.255.1

site-id 51

organization-name “SAM SDWANLAB”

vbond 1.1.1.3

vpn 0

interface eth 0

ip address 10.0.0.2/24

ip route 0.0.0.0/0

no shut

vpn 512

interface eth1

ip address 192.168.66.2/24

no shut

Domain controller/DNS/Cloud 512 is connected to VPN 512 Cloud

RohitRaj03827 · ‎10-05-2019

There must be something you are missing, i want to know what are following for certificate also i can see the vBond ip address is wrong. If you want i can help you remotely if you can share the screen, will resolve the problem for you.

Regards,
Rohit Raj

samirshaikh52 · ‎10-05-2019

I simulating controllers behind NAT therefore I have added the public IP of vBond.

Please let me know whenever you are available so I can send PM you the remote session details.

RohitRaj03827 · ‎10-05-2019

I am available now.

Regards,
Rohit Raj

samirshaikh52 · ‎10-05-2019

Hi

I was able to successfully able to install the certificate with excellent support from Rohit Raj.

He was very helpful on a remote session.

Thanks Rohit Raj. I highly appreciate your time and efforts.

Mahmood Alhamad · ‎10-14-2019

Hi

i have the same issue

when i install certificate on Vmange i get the following message .

fail to retrieve device data

failed to fined device with uuid null

i tried to do same as you have described above

any advice will be appreciated

thank you

RohitRaj03827 · ‎10-14-2019

There must be something you are missing, i want to know what are following for certificate also i can see the vBond ip address is wrong. If you want i can help you remotely if you can share the screen, will resolve the problem for you.

Regards,
Rohit Raj

RohitRaj03827 · ‎10-14-2019

let me when we can connect? ping me,

Regards,
Rohit Raj

ahmad.rz · ‎10-14-2019

For case failed to fined device with uuid null,

In Administration menu, select Controller Certificate Authorization and then select Enterprise Root Certificate. Check the Set CSR Properties and in Domain Name box write: viptela.com. And save it.

Then go to the Configuration menu and click on Certificates. In next page click on Controllers tab. After this for every controllers Generate CSR and with a CA-SERVER generate the certificate.

Now you can do your request for Install Certificate over controllers.

Be quick and careful!

tmorad · ‎06-30-2020

Thanks a lot. This was so helpful. cheers

Sarmanov Bakyt · ‎07-18-2021

Thanks!!!It was very helpful!

hashim.khan1056 · ‎03-21-2020

hello, hope you will find my msg In good health.Currently i am am deploy SD-wan setup. I installed vmanage vbond and vsmart and configure their system setting that are listed below.

hostname ---
Organization name ----
site id -----
system IP ----
ntp server ---- prefer vpn 0
clock time zone ----

After that i created my own root CA and signed the CSR to generate cert, and install these certs on controllers. Furthermore, I send them to vbond all work fine until this point but when i made the tunnel interface on vmanage and vbond control connections are not showing up because i got "token inalid" and "certificate-validity Not Valid - unable to get local issuer certificate". Please help me ou thanks

yatiraj.panchal1 · ‎09-22-2020

What will do if getting below error, when tried to generate CSR for vManage, vBond and vSmart.

failed to process device request - error type application error tag operation-failed error info