Solved: GUI connectivity issue in WLC 8540 Firefox REUSED ISSUER

ajc · ‎10-22-2020

Hi all, trying to access WLC 8540 appliance using Firefox and getting the following error. I have not seen this before when I was managing my 8510/5508.

Secure Connection Failed

An error occurred during a connection to 172.23.110.20. You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

I found the following articles but they did not help much

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn11726/?rfs=iqvred

https://community.cisco.com/t5/wireless-and-mobility/communication-issues-and-gui-display-problems-in-2504-wlc-on-8-3/td-p/2970800

https://support.mozilla.org/en-US/questions/1055526

It obviously work on IE and Chrome but the problem with those browsers is that saving changes from GUI, running filters or refreshing the page is annoying and sometimes gives me timeout so I have to log out/log in back.

Any suggestion?

thanks

Nicolas Poirier · ‎10-22-2020

You can try to go to Firefox Certificate Manager (Options > Privacy & Security > View Certificates all the way down the page).
Then, in the Servers tabs, find the certificate with the same IP Address or DNS name than you WLC 8540, select it and click Delete).
It can happen if the device has been replaced by another but keeps the same IP Address, or if the Web-admin certificate has been regenerated.

View solution in original post

Nicolas Poirier · ‎10-22-2020

You can try to go to Firefox Certificate Manager (Options > Privacy & Security > View Certificates all the way down the page).
Then, in the Servers tabs, find the certificate with the same IP Address or DNS name than you WLC 8540, select it and click Delete).
It can happen if the device has been replaced by another but keeps the same IP Address, or if the Web-admin certificate has been regenerated.

ajc · ‎10-22-2020

Thanks for the reply.

I have planned the regenerate option because all the previous troubleshooting steps did not work. I was trying to avoid that because it requires a reboot and maintenance window which takes time. If this also does not work, IE and Chrome is the only way to go without manipulating the Firefox internal security settings.

If anyone has experienced the same issue on WLC version 8.10, please let me know because looks like for the WLC (catalyst) 9800 there is bug/fix solution in place.

Scott Fella · ‎10-22-2020

Can you post a screenshot or the issue?

-Scott
*** Please rate helpful posts ***

Grendizer · ‎10-22-2020

the solution provided by nicolas2.poirier is the correct one and i saw the same thing many times and solved it by using the same above method.

ajc · ‎10-22-2020

Deleting the servers from the Firefox browser --- options --- security and switching WLC's did not work since the beginning as I knew about this approach. This is a fresh install out of the box 8540 WLC's so the regenerate HTTPS certificates was never done

At the end, I deleted all the servers entries again, regenerated the WLC HTTPS certificate, reboot the WLC and the error is gone. thanks everyone for advice.

Ethan Grinnell · ‎03-15-2021

I just had this myself (AireOS 8.5.x). It turned out to be an issue with the Firefox certificate database. I didn't have a certificate for this WLC according to the browser preferences UI that Nicolas mentioned, but I still got the warning "SEC_ERROR_REUSED_ISSUER_AND_SERIAL" and couldn't proceed. I found that the Firefox configuration file C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\<yours>.default-esr\cert9.db (SQL Lite database) did actually have an entry for this certificate, even though it wasn't shown in the UI. The file probably got corrupted or something else along those lines. Anyway, deleting the file and restarting Firefox fixed the issue. You could also delete the whole profile, but you may not want to do that.

richardfu · ‎11-16-2021

I got the similar error when access Cisco Callmanager via Firefox, and did works by deleting the cert9.db under below link, then restarted the Firefox:

C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\hnxv9dm0.default

An error occurred during a connection to x.x.x.x You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

Thanks,

OLA BONNEVIER · ‎01-12-2021

i'm afraid i have to disagree.

this exact same behavior is also present in many many releases of prime infrastructure.

https://support.mozilla.org/en-US/kb/Certificate-contains-the-same-serial-number-as-another-certificate

doesn't resolve this issue.

when you have several primes, in a hosting environment or when working with many different customers, having the same name on a prime is sometimes common.

having every single instance of prime, virtual or physical, everyone generating the same serial number (12, not even a hexadecimal random sequence), when generating a new self signed certificate (ncs key genkey –newdn), the serial number is of course once again 12.

the only valid work around at the moment seems to be generating a csr to an authority according to:

https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-9/admin/bk_CiscoPrimeInfrastructure_3_9_AdminGuide/bk_CiscoPrimeInfrastructure_3_8_AdminGuide_chapter_011.html?bookSearch=true#task_1112683