Solved: IE-4010-16S12P https login not working

grapevine · ‎02-01-2025

I have a Cisco IE-4010-16S12P running on IE4010-UNIVERSALK9-M (15.2(8)E5). I am able to login using http but not using https

Please see configuration on switch below:

SW02# sh run | i http
ip http server
ip http authentication local
ip http secure-server
ip http tls-version TLSv1.2

I see ERR_CONNECTION_CLOSED on the browser. I ran a wireshark and I see there are client hellos but no server hellos

Telnet on port 443 works. Please let me know if this is a self signed certificate issue, please suggest on the steps to fix this

Thanks in advance

grapevine · ‎02-01-2025

I just fixed the issue. The issue was that the rsa key wasnt mapped to the trustpoint on the switch where https was not working. I just mapped it and https is working now

View solution in original post

grapevine · ‎02-01-2025

Configuration changes made on switch:

crypto pki trustpoint TP-self-signed-858866176
rsakeypair TP-self-signed-2427818368
exit

View solution in original post

Mark Elsen · ‎02-01-2025

1) Check logs on the switch when that happens (with the CLI )

2) Check the output from : show ip http server all
show ip http server secure status .

M

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Mark Elsen · ‎02-01-2025

- Also look into https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst_microswitches/software/releases/15_2_8_e/configuration_guide/security/b_1528e_security_cms_cg/configuring_secure_socket_layer_http.html

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

grapevine · ‎02-01-2025

SW02#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: aes-128-cbc-sha aes-256-cbc-sha
dhe-aes-128-cbc-sha edche-rsa-aes-256-cbc-sha rsa-aes-cbc-sha2
rsa-aes-gcm-sha2 dhe-aes-cbc-sha2 dhe-aes-gcm-sha2
ecdhe-rsa-aes-cbc-sha2 ecdhe-rsa-aes-gcm-sha2
HTTP secure server TLS version: TLSv1.2
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

I dont see any logs related to this on the switch

Mark Elsen · ‎02-01-2025

- For logs enable debugging level logging and check again.
- Execute : % nmap --script ssl-enum-ciphers -p 443 switch-hostname
- Have you executed all steps from https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst_microswitches/software/releases/15_2_8_e/configuration_guide/security/b_1528e_security_cms_cg/configuring_secure_socket_layer_http.html
Initially it looked like no certificate has been created , for instance

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Richard Burts · ‎02-01-2025

Not surprising that there are no logs, based on this output "HTTP secure server client authentication: Disabled" If server client authentication is disabled then there is no access, and no log message.

HTH

Rick

grapevine · ‎02-01-2025

On another on same network where HTTPS works shows HTTP secure server client authentication: Disabled

Richard Burts · ‎02-01-2025

It is very interesting that on one where HTTPS does work it still says Disabled. So the message seems to mean something different from what we thought it was.

Could you post the configuration of the problem switch and the configuration of a working switch?

HTH

Rick

MHM Cisco World · ‎02-01-2025

This optional not mandatory for https'

SE can ask cert. Of PC for more secure.

It ok to be disable.

MHM

MHM Cisco World · ‎02-01-2025

Change the browser

MHM

grapevine · ‎02-01-2025

On a non working switch I found this:

Trustpoint TP-self-signed-858866176:
Issuing CA certificate configured:
Subject Name:
cn=IOS-Self-Signed-Certificate-2427818368
Fingerprint MD5: 56C56EE2 4F68BCA9 65F5510E CDE9EC34
Fingerprint SHA1: BC7BDE9C 604EE53F DA393377 40DE6BA3 8616EFC5
Router Not Set certificate configured:
Subject Name:
cn=IOS-Self-Signed-Certificate-2427818368
Fingerprint MD5: 56C56EE2 4F68BCA9 65F5510E CDE9EC34
Fingerprint SHA1: BC7BDE9C 604EE53F DA393377 40DE6BA3 8616EFC5
State:
Keys generated ............. No
Issuing CA authenticated ....... Yes
Certificate request(s) ..... Yes

--------------------------------------------------------------------------------

On a working switch I found this:

Trustpoint TP-self-signed-858866176:
Issuing CA certificate configured:
Subject Name:
cn=IOS-Self-Signed-Certificate-858866176
Fingerprint MD5: 857D7CA5 2486F18A 415D7104 60A6561B
Fingerprint SHA1: 8D943EDF 3D06A66A 9B5C8A5E 0BD1A707 55AF6A21
Router General Purpose certificate configured:
Subject Name:
cn=IOS-Self-Signed-Certificate-858866176
Fingerprint MD5: 857D7CA5 2486F18A 415D7104 60A6561B
Fingerprint SHA1: 8D943EDF 3D06A66A 9B5C8A5E 0BD1A707 55AF6A21
State:
Keys generated ............. Yes (General Purpose, non-exportable)
Issuing CA authenticated ....... Yes
Certificate request(s) ..... Yes

Could you please advise me on the next steps, to fix thus

grapevine · ‎02-01-2025

I just fixed the issue. The issue was that the rsa key wasnt mapped to the trustpoint on the switch where https was not working. I just mapped it and https is working now

Richard Burts · ‎02-01-2025

Thanks for the update. Glad to know that you have found the solution to your own problem.

HTH

Rick

grapevine · ‎02-01-2025

Configuration changes made on switch:

crypto pki trustpoint TP-self-signed-858866176
rsakeypair TP-self-signed-2427818368
exit