Solved: Cisco WLC 2500 Certificate Expiration Workaround - Page 2

aaron-rousch · ‎10-31-2024

Good Day.

I have a Cisco 2500 Series Wireless Controller and i have come across the issue in the Field Notice: FN63942

Following the instructions Situation: The WLC runs fixed software, but some APs cannot join.

Enter the config ap cert-expiry-ignore {mic|ssc} enable command.
If any of the APs that cannot join have not downloaded the fixed software
1. Disable NTP.
2. Set the clock back to a time before the WLC certificate expired (might keep newer APs from joining).
3. Have all APs join the WLC, download new software, and rejoin.
4. Set the clock to the correct time and re-enable NTP.

i have followed the steps as instructed and i have an Air-CAP3702P-A-K9 that still refuses to join. I get the same error

"%PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 6732C08E0000001FA741) has expired. Validity period ended on 04:53:04 UTC Oct 30 2024Peer certificate verification failed 001A"

I can confirm that the Certificate The certificate (SN: 6732C08E0000001FA741) is on the WLC and not the AP

I an unable to download any software from Cisco due to not having a Service License

Is there a step i missed?

Any help would be appreciated.

Thank you for your time.

PS: if this is not the correct place to put this question. Please let me know and i will remove this post and re-ask the question in the appropriate place.

aaron-rousch · ‎11-11-2024

Good Day Rich. I tried to email TAC as you suggested, but it seems that TAC email is no longer available

the email states

"

Thank you for contacting Cisco Technical Assistance Center (TAC) Support.

Please be advised that the email alias tac@cisco.com is no longer monitored, as we have transitioned to a more streamlined support system to enhance our service quality and response time.

To open a new case or manage an existing case with Cisco TAC, go to Support Case Manager (SCM):

To begin, login to Support Case Manager: (https://mycase.cloudapps.cisco.com/case)
If you need guidance on creating your case, you may refer to the SCM Case Creation Guide (https://www.cisco.com/c/en/us/support/docs/cx/cx-cloud/cx220971-support-case-management-case-creation-gu.html)"

i tried to open a TAC support case but the AP and WLC has reached end of life and it will not allow me to create a case.

Rich R · ‎11-11-2024

Ah then I guess you'll have to do it over the phone - they don't make things easier!

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390