C9800 WLC PKI Cert Renew Error

sajidabbas · ‎09-19-2023

Hi,

We have been receiving this error on our C9800-CL controller for some time now and not sure what it requires.

%PKI-2-CERT_RENEW_FAIL: Certificate renewal failed for trustpoint sdn-network-infra-iwan Reason : Failed to get ID certificate from CA server

Does anyone know what this might be related to. Currently our infrastructure and controller does not have any issues and this controller is managed by DNA Center.

Sajid

marce1000 · ‎09-19-2023

- Note sure if the feature is supported on 9800 controller ; in that context start with a checkup of the controller configuration with the CLI command show tech wireless ; feed the output into : https://cway.cisco.com/wireless-config-analyzer/

Some of these commands may provide insights :
show crypto pki certificates
show crypto pki timers
show crypto pki server

In the running-config , you can also enable : debug pki transaction and check logs

Also check current software version ; compare too : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214749-tac-recommended-ios-xe-builds-for-wirele.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

lrob5 · ‎09-27-2023

Same issue but our 9800-L is not managed by DNA

sroic · ‎05-15-2024

Just got the same alert on same setup, did you find the solution maybe?

jagan.chowdam · ‎05-15-2024

What is the DNA Center / Catalyst Center version?

Can you run the following command on WLC:

show telemetry internal connection

I see couple of bugs listed with exact same issue:

Jagan Chowdam

/**Pls rate useful responses**/

sroic · ‎05-15-2024

DNA version is 2.3.5.5-70026, WLC is 17.9.4.

This command doesnt exists at my WLC

show telemetry internal connection

I did run

show telemetry connection all

found an Index name and with:

show telemetry internal connection 1795 detail

I got this:

Telemetry protocol manager stats:

Con str : <DNA IP>:25103:0:<WLC IP>
Sockfd : 114
Protocol : tls-native
State : CNDP_STATE_CONNECTED
Table id : 0
Profile : sdn-network-infra-iwan
Version : TLSv1.2
Wait Mask :
Connection Retries : 0
Send Retries : 28
Pending events : 0
Session requests : 1
Session replies : 1
Source ip : <WLC IP>
Bytes Sent : 127922718617
Msgs Sent : 30681689
Msgs Received : 0
Creation time: : Tue May 7 21:31:49:64
Last connected time: : Tue May 7 21:31:49:251
Last disconnect time: :
Last error: :
Connection flaps: : 0
Last flap Reason: :
Keep Alive Timeouts: : 0
Last Transport Error : No Error

jagan.chowdam · ‎05-15-2024

The state is CNDP_STATE_CONNECTED, indicating that the connection was successfully established.

Check the status with the following commands

show crypto pki certificates verbose sdn-network-infra-iwan

show crypto pki trustpoint sdn-network-infra-iwan status

sroic · ‎05-16-2024

Hi @jagan.chowdam ,

this is my output of those commands, not sure what to think of it:

wlc-a#show crypto pki certificates verbose sdn-network-infra-iwan
Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 56F2F3AD75229045
  Certificate Usage: General Purpose
  Issuer: 
    cn=sdn-network-infra-ca
  Subject:
    Name: wlc-a.eu-central-1.compute.internal
    cn=C9800-CL-K9_9B1KVTSUSVQ_sdn-network-infra-iwan
    hostname=wlc-a.eu-central-1.compute.internal
  Validity Date: 
    start date: 10:24:16 UTC Jul 26 2023
    end   date: 10:24:16 UTC Jul 25 2024
    renew date: 10:25:08 UTC May 16 2024
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA512 with RSA Encryption
  Fingerprint MD5: EEBAE572 56F4D25C 0C73F2CB 7173D8A2 
  Fingerprint SHA1: 8594A177 49F0A75A 91727A16 3A811CB4 76C728E7 
  X509v3 extensions:
    X509v3 Key Usage: E0000000
      Digital Signature
      Non Repudiation
      Key Encipherment
    X509v3 Subject Key ID: 85A02533 93720D11 A90E2DF2 6318C367 AEC0C990 
    X509v3 Basic Constraints:
        CA: FALSE
    X509v3 Authority Key ID: 88123ACC 7E0D37EB 38270C55 E1D3FD60 865322DF 
    Authority Info Access:
    Extended Key Usage:
        Email Protection
        Client Auth
  Cert install time: 14:38:23 UTC Nov 19 2023 
  Associated Trustpoints: sdn-network-infra-iwan 
  Storage: nvram:sdn-network-#9045.cer
  Key Label: sdn-network-infra-iwan
  Key storage device: private config

CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 2B736CDA315062D2
  Certificate Usage: Signature
  Issuer: 
    cn=sdn-network-infra-ca
  Subject: 
    cn=sdn-network-infra-ca
  Validity Date: 
    start date: 13:33:20 UTC Jun 8 2022
    end   date: 13:33:20 UTC Jun 8 2037
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA512 with RSA Encryption
  Fingerprint MD5: 30955623 ACFA56E3 725AE71A 01643551 
  Fingerprint SHA1: DC7569CF 2070926E 7293898D 0236AF85 B9161AEB 
  X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: 88123ACC 7E0D37EB 38270C55 E1D3FD60 865322DF 
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: 88123ACC 7E0D37EB 38270C55 E1D3FD60 865322DF 
    Authority Info Access:
  Cert install time: 14:38:23 UTC Nov 19 2023 
  Associated Trustpoints: sdn-network-infra-iwan 
  Storage: nvram:sdn-network-#62D2CA.cer


wlc-a#show crypto pki trustpoint sdn-network-infra-iwan status
Trustpoint sdn-network-infra-iwan:
  Issuing CA certificate configured:
    Subject Name:
     cn=sdn-network-infra-ca
    Fingerprint MD5: 30955623 ACFA56E3 725AE71A 01643551 
    Fingerprint SHA1: DC7569CF 2070926E 7293898D 0236AF85 B9161AEB 
  Router General Purpose certificate configured:
    Subject Name:
     cn=C9800-CL-K9_9B1KVTSUSVQ_sdn-network-infra-iwan,hostname=wlc-a.eu-central-1.compute.internal
    Fingerprint MD5: EEBAE572 56F4D25C 0C73F2CB 7173D8A2 
    Fingerprint SHA1: 8594A177 49F0A75A 91727A16 3A811CB4 76C728E7 
  Last enrollment status: Failed
  Next enrollment attempt:
    10:25:08 UTC May 16 2024 
    * A new key will be generated *
    * Configuration will not be saved after enrollment *
  State:
    Keys generated ............. Yes (General Purpose, non-exportable)
    Issuing CA authenticated ....... Yes
    Certificate request(s) ..... Yes

Any ideas are welcome

jaheshkhan · ‎05-20-2024

Did your issue solved ? i faced the same problem now? can you provide the remediation if the issue got solved?

sroic · ‎05-20-2024

Hi @jaheshkhan ,

I needed to select WLC from Inventory page in DNAC and update telemetry settings using force config push option. Seems this issue occurs after DNAC update

jaheshkhan · ‎05-20-2024

in my case status is active and connection is up.

but last fingerprint is showing as failed. similarly like you. so can i try your steps then?

sroic · ‎05-20-2024

Sounds pretty similar to outputs that I pasted above. I don't work at TAC but I believe you can

tpense · ‎07-23-2024

I am facing the same issues. Is the solution you found interfering the Wifi-Experience of the User or can this be done "hitless"?

Thanks in advance.

sroic · ‎07-23-2024

For me it wasn't interfering with anything on the wifi side