Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1992
Views
0
Helpful
7
Replies

Web authentication SSL certificate issue - 4402 vs 2504

Gunter
Level 1
Level 1

‎06-09-2017 03:09 PM - edited ‎07-05-2021 07:11 AM

Hello Everyone

I have a problem with upload new SSL certificate to my anchor WLC. Controller is old - 4402 with the newest available software. During the download certificate I get en error - from the GUI I get information "File transfer failed!" but this is not true because file was downloaded correctly. I've check what I can got from the CLI - I enabled debugging to have better overview what is going one - this is what I got:

(anchor) >transfer download start

Mode............................................. TFTP
Data Type........................................ Site Cert
TFTP Server IP................................... 10.70.164.136
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ /
TFTP Filename.................................... finall-all-certs-oneyear2017.pem

This may take some time.
Are you sure you want to start? (y/N) y
*TransferTask: Jun 09 20:26:05.920: Memory overcommit policy changed from 0 to 1
*TransferTask: Jun 09 20:26:06.066: RESULT_STRING: TFTP Webauth cert transfer starting.
TFTP Webauth cert transfer starting.
*TransferTask: Jun 09 20:26:06.067: RESULT_CODE:1
*emWeb: Jun 09 20:26:08.921: Still waiting!  Status = 2
*TransferTask: Jun 09 20:26:10.072: Locking tftp semaphore, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
*TransferTask: Jun 09 20:26:10.073: Semaphore locked, now unlocking, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
*TransferTask: Jun 09 20:26:10.073: Semaphore successfully unlocked, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
*TransferTask: Jun 09 20:26:10.074: TFTP: Binding to local=0.0.0.0 remote=10.70.164.136
*TransferTask: Jun 09 20:26:10.113: TFP End: 7746 bytes transferred (0 retransmitted packets)
*TransferTask: Jun 09 20:26:10.114: tftp rc=0, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
                                                                                                                   pLocalFilename=cert.p12
*TransferTask: Jun 09 20:26:10.114: RESULT_STRING: TFTP receive complete... Installing Certificate.
*TransferTask: Jun 09 20:26:10.115: RESULT_CODE:13

TFTP receive complete... Installing Certificate.
*emWeb: Jun 09 20:26:11.920: Still waiting!  Status = 2
*TransferTask: Jun 09 20:26:14.115: Adding cert (7682 bytes) with certificate key password.
*TransferTask: Jun 09 20:26:14.118: sshpmAddWebauthCert: Extracting private key from webauth cert and using bundled pkcs12 password.
*TransferTask: Jun 09 20:26:14.123: sshpmDecodePrivateKey: private key decode failed...
*TransferTask: Jun 09 20:26:14.126: sshpmAddWebauthCert: key extraction failed.
*TransferTask: Jun 09 20:26:14.127: RESULT_STRING: Error installing certificate.
*TransferTask: Jun 09 20:26:14.127: RESULT_CODE:12
*TransferTask: Jun 09 20:26:14.127: ummounting: <umount /mnt/download/ >/dev/null 2>&1>  cwd  = /mnt/application
*TransferTask: Jun 09 20:26:14.172: finished umounting
*TransferTask: Jun 09 20:26:14.434: Memory overcommit policy restored from 1 to 0

Error installing certificate.

It's look like there is a problem with private key but when I download this certificate to 2504 with the code 8.0.x there is no problem at all

This is what I got on the 2504:

(test) >transfer download start

Mode............................................. TFTP
Data Type........................................ Site Cert
TFTP Server IP................................... 10.70.164.136
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ /
TFTP Filename.................................... finall-all-certs-oneyear2017.pem

This may take some time.
Are you sure you want to start? (y/N) y
*TransferTask: Jun 09 16:31:55.295: Memory overcommit policy changed from 0 to 1
*TransferTask: Jun 09 16:31:55.295: RESULT_STRING: TFTP Webauth cert transfer starting.
TFTP Webauth cert transfer starting.
*TransferTask: Jun 09 16:31:55.295: RESULT_CODE:1
*TransferTask: Jun 09 16:31:59.297: Locking tftp semaphore, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
*TransferTask: Jun 09 16:31:59.381: Semaphore locked, now unlocking, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
*TransferTask: Jun 09 16:31:59.381: Semaphore successfully unlocked, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
*TransferTask: Jun 09 16:31:59.382: TFTP: Binding to remote=10.70.164.136
*TransferTask: Jun 09 16:31:59.889: TFP End: 7746 bytes transferred (0 retransmitted packets)
*TransferTask: Jun 09 16:31:59.889: tftp rc=0, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
                                                                                                                   pLocalFilename=cert.p12
*TransferTask: Jun 09 16:31:59.890: RESULT_STRING: TFTP receive complete... Installing Certificate.
TFTP receive complete... Installing Certificate.
*TransferTask: Jun 09 16:31:59.890: RESULT_CODE:13
*TransferTask: Jun 09 16:32:03.894: Adding cert (7682 bytes) with certificate key password.
*TransferTask: Jun 09 16:32:09.043: RESULT_STRING: Certificate installed.
                                                                           Reboot the switch to use new certificate.
*TransferTask: Jun 09 16:32:09.043: RESULT_CODE:11

Certificate installed.

Do you have any idea what's going on? I will be appreciated for your answers.

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Prateek Saxena
Cisco Employee
Cisco Employee

‎06-10-2017 03:21 AM

Looks like certificate encryption problem. Is it a SHA2 certificate?

0 Helpful

Gunter
Level 1
Level 1
In response to Prateek Saxena

‎06-10-2017 07:30 AM

Yes it is.

0 Helpful

Prateek Saxena
Cisco Employee
Cisco Employee
In response to Gunter

‎06-10-2017 08:01 AM

Can you confirm the WLC code and openssl version you used to create the certificate?

0 Helpful

Gunter
Level 1
Level 1
In response to Prateek Saxena

‎06-10-2017 04:28 PM

WLC code is 7.0.252 (the newest available for 4400), I'm not sure what openSSL was used to create certificate because I did do this - I had a problem with my OpenSSL so I asked my collage to do this. He used OpenSSL from his LAB load balancer F5 :).

0 Helpful

Prateek Saxena
Cisco Employee
Cisco Employee
In response to Gunter

‎06-11-2017 07:25 PM

We need to verify the version of openSSL as if we are using version more than 1.x then I'll expect this not to work on 7.0

0 Helpful

Gunter
Level 1
Level 1
In response to Prateek Saxena

‎06-12-2017 12:42 AM

Version of the OpenSSL:

OpenSSL 1.0.1l-fips 15 Jan 2015

What do you think about this? Is this is the root cause of my problem? If yes then please tell me why?

0 Helpful

Prateek Saxena
Cisco Employee
Cisco Employee
In response to Gunter

‎06-12-2017 08:18 AM

This is due to the security updates in OpenSSL release 1.0 Kindly go through the change document for the same. Anyways refer the cisco document below:

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

  1. Note: OpenSSL Version 0.9.8 is the recommended version for old WLC releases; however, as of Version 7.5, support for OpenSSL Version 1.0 was also added (refer to Cisco bug ID CSCti65315 - Need Support for certificates generated using OpenSSL v1.0) and is the recommended version to use. OpenSSL 1.1 works was also tested and works great on 8.x and later WLC releases.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card