Solved: Problems uploading webauthcert to mobility express controller

unaiabrisketa · ‎02-07-2022

Hi,

I have a mobility express controller in the 8.10 firmware version. I am trying to upload the certificate using the cli after following the defined proccess for getting the encoded pem file.

I have been able to do it in a 8.0 version wireless controller. So the certificate seems to be correct.

Troublehsooting the proccess in the aironet espress controller I get the follwing errors:

TFTP receive complete... Installing Certificate.
*TransferTask: Nov 13 01:48:16.557: RESULT_CODE:13

*TransferTask: Nov 13 01:48:20.557: Adding cert (9165 bytes) with certificate key password.

*TransferTask: Nov 13 01:48:20.557: Add WebAuth Cert: Adding certificate & private key using password 1234
*TransferTask: Nov 13 01:48:20.557: Add ID Cert: Adding certificate & private key using password 1234
*TransferTask: Nov 13 01:48:20.557: Add Cert to ID Table: Adding certificate (name: bsnSslWebauthCert) to ID table using password 1234
*TransferTask: Nov 13 01:48:20.557: Add Cert to ID Table: Decoding PEM-encoded Certificate (verify: YES)
*TransferTask: Nov 13 01:48:20.557: Decode & Verify PEM Cert: Cert/Key Length was 0, so taking string length instead
*TransferTask: Nov 13 01:48:20.557: Decode & Verify PEM Cert: Cert/Key Length 9165 & VERIFY
*TransferTask: Nov 13 01:48:20.568: Decode & Verify PEM Cert: X509 Cert Verification return code: 0
*TransferTask: Nov 13 01:48:20.568: Decode & Verify PEM Cert: X509 Cert Verification result text: certificate is not yet valid
*TransferTask: Nov 13 01:48:20.568: Decode & Verify PEM Cert: Error in X509 Cert Verification at 0 depth: certificate is not yet valid
*TransferTask: Nov 13 01:48:20.569: Add Cert to ID Table: Error decoding (verify: YES) PEM certificate
*TransferTask: Nov 13 01:48:20.569: Add ID Cert: Error decoding / adding cert to ID cert table (verifyChain: TRUE)
*TransferTask: Nov 13 01:48:20.569: Add WebAuth Cert: Error adding ID cert
*TransferTask: Nov 13 01:48:20.569: RESULT_STRING: Error installing certificate.

*TransferTask: Nov 13 01:48:20.569: RESULT_CODE:12

Error installing certificate.

I have searched for a while but I didn't find the same issue in other topics. Cooul anybody help me?

Thanks!

Prince.O · ‎02-07-2022

Hi,

As @jagan.chowdam stated, it looks like your controller having issues is showing the wrong date & time as " Nov 13 01:48:20.569 " and thus the cert is showing as not yet valid in the logs.

Please validate the time on the controller and if necessary, set this to the correct time and try uploading the cert again

View solution in original post

jagan.chowdam · ‎02-07-2022

Both controllers have the same time setup?

From the error log "X509 Cert Verification result text: certificate is not yet valid".

Verify the valid from date and time on the certificate

CJ

/** Please rate useful responses **/

Scott Fella · ‎02-07-2022

My suggestion is to post the link of the guide you followed. With certificates, it also depends on how you generate the CSR and what tool and version you used. v8.0 is old and many things have changed between that version and v8.10. So this doesn't surprise me that it works with one and not the other.

-Scott
*** Please rate helpful posts ***

Prince.O · ‎02-07-2022

Hi,

As @jagan.chowdam stated, it looks like your controller having issues is showing the wrong date & time as " Nov 13 01:48:20.569 " and thus the cert is showing as not yet valid in the logs.

Please validate the time on the controller and if necessary, set this to the correct time and try uploading the cert again

Rich R · ‎02-08-2022

Can you show the EXACT commands you used to update the cert?

Enable these debugs before running the commands and capture the debug logs:

debug transfer all enable

debug pm pki enable

Afterwards disable debug with "debug disable-all".

We use the same cert across 8.0, 8.5 and 8.10 WLCs (CSR generated using OpenSSL)

The error message about "not yet valid" is misleading - almost anything that causes the cert update to fail can result in that error message - including incorrect password.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390