Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17149
Views
15
Helpful
19
Replies

Webauth and Webadmin certificates fail to install on a WLC 5520

ashmead123
Level 1
Level 1

‎01-31-2018 02:20 AM - edited ‎07-05-2021 08:11 AM

Hi

 

I have two certificates (Webauth and Webadmin), created using the WLC's CSR. Both fail to install. Both will TFTP onto the WLC fine using the Upload command on the GUI but fail to install.

The logs show: %UPDATE-3-CERT_INST_FAIL: updcode.c:1276 Failed to install Webauth certificate. rc = 1

The certificates were created by different authorities (internal CA and Digicert)

Both are .crt format. I have tried converting to PEM, this ends up as .cer format.

The common names (CN) are the hostname of the WLC

The WLC is in an SSO HA pair and running 8.3.133.0

 

Any pointers much appreciated

 

 

2 people had this problem
Labels:
0 Helpful
19 Replies 19

Scott Fella
Hall of Fame
Hall of Fame
In response to ROB LYLE

‎08-02-2020 04:51 AM

I’m not understanding what is wrong? Web admin and web Auth certainly are uploaded to the controller in two different locations. The cert is uploaded so it’s seems to be fine, my question would be, is there a dns entry defined and is it pointing to the right ip? Webauth points to the VIP so your fqdn needs to resolve to the VIP. The management ip resolves to the fqdn you specified on the cert. I have only used OpenSSL to generate certificates, never on the controller. Also make sure you flush out your browser dns entries after uploading the cert.
-Scott
*** Please rate helpful posts ***
0 Helpful

ROB LYLE
Level 1
Level 1
In response to ROB LYLE

‎08-02-2020 05:03 AM

Gah! A quick "debug pm pki enable" made me notice one error.

transfer download datatype webauthcert
changed to ...
transfer download datatype webadmincert

I was downloading my webadmin signed certificate to the webauth location. Strange that it accepted that, as the CSR was generated for webadmin via the CLI.
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to ROB LYLE

‎08-02-2020 05:47 AM

Well it’s a cert and you can use it on either. The cert is not valid unless it can be resolved.
-Scott
*** Please rate helpful posts ***
0 Helpful

ROB LYLE
Level 1
Level 1
In response to Scott Fella

‎08-02-2020 06:11 AM

If I only understood how the WLC matches private keys with certificates, then I'd agree. The WLC CLI interface specifically asks for "webadmin" and "webauth" certificates implying that different certificates are needed for each, with private keys stored in different places.

On a slightly unrelated (probably) note, how do I undo this command:

(Cisco Controller) >config certificate use-device-certificate webadmin

There is no "enable" or "disable" here and I can't find any documentation online about what this actually does. I am guessing it forces use of a builtin Cisco manufacturer certificate and would be undone when I install my own 3rd party certificate or generate a self-signed local cert? Total guess however as the Cisco Wireless Controller Configuration Guide, Release 8.5 (b_cg85.pdf) doesn't tell me anything. Sniff.
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to ROB LYLE

‎08-02-2020 09:23 AM

You need to go on the GUI and generate a self-signed. One you generate a self signed or upload a new cert, the wlc doesn’t keep any other cert for that purpose.
-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card