Solved: PKI Config push Failed when provisioning WLC from DNAC

JustTakeTheFirstStep · ‎03-03-2025

PKI Config push Failed when provisioning WLC from DNAC

WLC#ter mo
Mar  4 01:31:42.745: %PKI-3-PKCS12_IMPORT_FAILURE: PKCS #12 import failed for trustpoint: sdn-network-infra-wan. Reason: Failed to read PKCS12 from url: https://20.20.20.20/api/v1/trust-point/pkcs12/c8fbfbbc-4167-4b1e-9db7-2cc6f7121654/s301auh4v3aiiv8n9l6ocbll0i
Mar  4 01:31:42.748: %PKI-6-TRUSTPOINT_DELETE: Trustpoint: sdn-network-infra-iwan deleted succesfully

The status of netconf is no problem.

WLC#show netconf-yang status
netconf-yang: enabled
netconf-yang candidate-datastore: disabled
netconf-yang side-effect-sync: enabled
netconf-yang ssh port: 830

DNAC$ ssh -l admin 10.10.10.10 -p 830
FIPS mode initialized
admin@10.10.10.10's password: 
<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>

Does anyone know of a workaround?

Andrii Oliinyk · ‎03-03-2025

i'd say w/a would be upload certificate from WLC UI instead of DNAC.
but in your output there is one concerning thing:

https://20.20.20.20/api/v1/trust-point/pkcs12/c8fbfbbc-4167-4b1e-9db7-2cc6f7121654/s301auh4v3aiiv8n9l6ocbll0i

is it possible that HTTPS from WLC to that URL simply fails?

View solution in original post

Andrii Oliinyk · ‎03-03-2025

i'd say w/a would be upload certificate from WLC UI instead of DNAC.
but in your output there is one concerning thing:

https://20.20.20.20/api/v1/trust-point/pkcs12/c8fbfbbc-4167-4b1e-9db7-2cc6f7121654/s301auh4v3aiiv8n9l6ocbll0i

is it possible that HTTPS from WLC to that URL simply fails?

JustTakeTheFirstStep · ‎03-06-2025

Fusion#telnet 20.20.20.20 443                 
Trying 20.20.20.20, 443 ... 
% Destination unreachable; gateway or host down

The port was being denied by the firewall.
After permitting the port on the firewall, everything is fine.
Thanks for your help.

brandon.case · ‎03-18-2025

I know this is marked as solved but I wanted to add the solution that worked for me when I ran into this same issue in case some poor engineer ends up in the same boat later on.

The root cause of the failure turned out to be that the URL for the PKCS12 download used the DNAC IP and the 3rd party cert my DNAC uses doesn't contain the IP in the CN or any SAN. Essentially certificate validation was failing when the WLC would go to pull the PKCS12 bundle. Figured this out by grabbing the PKCS12 URL out of syslog messages and fetching it manually from my workstation. That download worked so I knew the PKCS12 bundle itself and the URL to grab it from were usable. The only other thing that made sense was certificate validation failing when the WLC made the HTTPS connection to get the PKCS12 bundle.

Found this post How to manually connect a Cisco WLC to Cisco DNA Center for Network Assurance - Cisco Community and used the steps for getting the PKCS12 bundle via the API. I changed the fetch URL to use my DNAC's hostname (which is the CN in its 3rd party cert) and the WLC was able to import the PKCS12 bundle. Start at step 4 "Retrieve PKCS12 Certificate from Cisco DNA Center then install on WLC".

For reference (with example data, assuming the CN in the 3rd party cert is "mydnacserver.domain"):

Original URL for PKCS12 download: https://192.0.2.1/api/v1/trust-point/pkcs12/a54ad8c4-4e62-471f-9ec9-fbe4fbf80b6e/kk9hqa4h1gfm06ggjmng7vj9eq
Changed URL: https://mydnacserver.domain/api/v1/trust-point/pkcs12/a54ad8c4-4e62-471f-9ec9-fbe4fbf80b6e/kk9hqa4h1gfm06ggjmng7vj9eq

Good luck.