Solved: Re: PKI Config push Failed when provisioning WLC from DNAC

JustTakeTheFirstStep · ‎03-03-2025

PKI Config push Failed when provisioning WLC from DNAC

WLC#ter mo
Mar  4 01:31:42.745: %PKI-3-PKCS12_IMPORT_FAILURE: PKCS #12 import failed for trustpoint: sdn-network-infra-wan. Reason: Failed to read PKCS12 from url: https://20.20.20.20/api/v1/trust-point/pkcs12/c8fbfbbc-4167-4b1e-9db7-2cc6f7121654/s301auh4v3aiiv8n9l6ocbll0i
Mar  4 01:31:42.748: %PKI-6-TRUSTPOINT_DELETE: Trustpoint: sdn-network-infra-iwan deleted succesfully

The status of netconf is no problem.

WLC#show netconf-yang status
netconf-yang: enabled
netconf-yang candidate-datastore: disabled
netconf-yang side-effect-sync: enabled
netconf-yang ssh port: 830

DNAC$ ssh -l admin 10.10.10.10 -p 830
FIPS mode initialized
admin@10.10.10.10's password: 
<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>

Does anyone know of a workaround?

Andrii Oliinyk · ‎03-03-2025

i'd say w/a would be upload certificate from WLC UI instead of DNAC.
but in your output there is one concerning thing:

https://20.20.20.20/api/v1/trust-point/pkcs12/c8fbfbbc-4167-4b1e-9db7-2cc6f7121654/s301auh4v3aiiv8n9l6ocbll0i

is it possible that HTTPS from WLC to that URL simply fails?

View solution in original post

Andrii Oliinyk · ‎03-03-2025

i'd say w/a would be upload certificate from WLC UI instead of DNAC.
but in your output there is one concerning thing:

https://20.20.20.20/api/v1/trust-point/pkcs12/c8fbfbbc-4167-4b1e-9db7-2cc6f7121654/s301auh4v3aiiv8n9l6ocbll0i

is it possible that HTTPS from WLC to that URL simply fails?

JustTakeTheFirstStep · ‎03-06-2025

Fusion#telnet 20.20.20.20 443                 
Trying 20.20.20.20, 443 ... 
% Destination unreachable; gateway or host down

The port was being denied by the firewall.
After permitting the port on the firewall, everything is fine.
Thanks for your help.