03-07-2013 04:39 AM - edited 07-03-2021 11:41 PM
Hello Together
I currently try to install a signed 3rd party certificate to my WLC running 7.0.253.3 for guest webauth. I tried various versions including the key but it always fails.
This is the debug output:
(WiSM-slot24-1) >transfer download start
Mode............................................. TFTP
Data Type........................................ Site Cert
TFTP Server IP................................... 152.96.20.12
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 2
TFTP Path........................................ /
TFTP Filename.................................... wlan-guest.domain.com.crt_ohne_chain.pem
This may take some time.
Are you sure you want to start? (y/N) y
*TransferTask: Mar 07 13:22:12.033: Memory overcommit policy restored from 1 to 0
*TransferTask: Mar 07 13:26:54.928: Memory overcommit policy changed from 0 to 1
*emWeb: Mar 07 13:26:55.069: Still waiting! Status = 1
*TransferTask: Mar 07 13:26:55.083: RESULT_STRING: TFTP Webauth cert transfer starting.
TFTP Webauth cert transfer starting.
*TransferTask: Mar 07 13:26:55.084: RESULT_CODE:1
*emWeb: Mar 07 13:26:58.070: Still waiting! Status = 2
*TransferTask: Mar 07 13:26:59.089: Locking tftp semaphore, pHost=152.96.20.12 pFilename=/wlan-guest.domain.com.crt_ohne_chain.pem
*TransferTask: Mar 07 13:26:59.089: Semaphore locked, now unlocking, pHost=152.96.20.12 pFilename=/wlan-guest.domain.com.crt_ohne_chain.pem
*TransferTask: Mar 07 13:26:59.089: Semaphore successfully unlocked, pHost=152.96.20.12 pFilename=/wlan-guest.domain.com.crt_ohne_chain.pem
*TransferTask: Mar 07 13:26:59.091: TFTP: Binding to local=0.0.0.0 remote=152.96.20.12
*TransferTask: Mar 07 13:26:59.104: TFP End: 1900 bytes transferred (0 retransmitted packets)
*TransferTask: Mar 07 13:26:59.106: tftp rc=0, pHost=152.96.20.12 pFilename=/wlan-guest.domain.com.crt_ohne_chain.pem
pLocalFilename=cert.p12
*TransferTask: Mar 07 13:26:59.107: RESULT_STRING: TFTP receive complete... Installing Certificate.
*TransferTask: Mar 07 13:26:59.107: RESULT_CODE:13
TFTP receive complete... Installing Certificate.
*emWeb: Mar 07 13:27:01.070: Still waiting! Status = 2
*TransferTask: Mar 07 13:27:03.107: Adding cert (1884 bytes) with certificate key password.
*TransferTask: Mar 07 13:27:03.112: RESULT_STRING: Error installing certificate.
*TransferTask: Mar 07 13:27:03.112: RESULT_CODE:12
*TransferTask: Mar 07 13:27:03.112: ummounting: <umount /mnt/download/ >/dev/null 2>&1> cwd = /mnt/application
*TransferTask: Mar 07 13:27:03.164: finished umounting
Error installing certificate.
(WiSM-slot24-1) >
Any ideas? I tried it with chaining the root and also without.
Some tests I did, but which did not help:
#openssl pkcs12 -export -in wlan-guest.domain.com.crt.pem -inkey wlan-guest.domain.com.key -out All-certs.p12 -clcerts
#openssl pkcs12 -in All-certs.p12 -out wlan-guest.domain.com.crt_ohne_chain.pem
I have not set a password.
Thanks for help
Patrick
Solved! Go to Solution.
03-07-2013 04:45 AM
I know the frustration .. I did a blog post on this very subject .. Did you copy and paste the cert chain correctly ?
http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html
Sent from Cisco Technical Support iPhone App
03-07-2013 05:31 AM
No.... Password is required. You will have to rerun the last few commands in which you put in a password.
Sent from Cisco Technical Support iPhone App
03-07-2013 05:49 AM
Are you using OpenSSL v9.x V1.0 has some issues.
Sent from Cisco Technical Support iPhone App
03-07-2013 04:45 AM
I know the frustration .. I did a blog post on this very subject .. Did you copy and paste the cert chain correctly ?
http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html
Sent from Cisco Technical Support iPhone App
03-07-2013 05:09 AM
Thanks for the reply. As far as I can see it, yes I followed this. The only deviation I did, I did never enter a password. This should work too, or?
03-07-2013 05:31 AM
No.... Password is required. You will have to rerun the last few commands in which you put in a password.
Sent from Cisco Technical Support iPhone App
03-07-2013 05:47 AM
I tried it, I hope correct?
~/Desktop $ openssl pkcs12 -export -in wlan-guest.domain.com.crt_final_chain_komplett.pem -inkey wlan-guest.domain.com.key -out All-certs.p12 -clcerts -passin pass:PASSWORD -passout pass:PASSWORD
~/Desktop $ openssl pkcs12 -in All-certs.p12 -out finalcert.pem -passin pass:PASSWORD -passout pass:PASSWORD
MAC verified OK
~/Desktop
I also set the password on the controller, but it still won't work.
03-07-2013 05:49 AM
Are you using OpenSSL v9.x V1.0 has some issues.
Sent from Cisco Technical Support iPhone App
03-07-2013 05:51 AM
It is 1.0.1. Going to try an older version, stand by
Thanks for the help so far!
03-07-2013 05:58 AM
Yeah... That's why. I still use the v9.8.x of OpenSSL light.
Sent from Cisco Technical Support iPhone App
03-07-2013 06:01 AM
And bang, it worked!
Those are days where I simply dislike linux...
Anyway, used now openssl 0.9.8y instead of 1.0.1 and it worked now as it should.
03-07-2013 06:03 AM
Haha... See... Pretty simple:)
Sent from Cisco Technical Support iPhone App
03-07-2013 06:07 AM
I already deleted my tests now, but while comparing my tests, the main difference between the two openssl versions was (if I remember correct) this string here (below the BEGIN LINE), which was not written in the 1.0.x version:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,309B7173122XXXXX
03-07-2013 06:14 AM
Thanks for the info!
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide