cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1996
Views
0
Helpful
7
Replies

Web authentication SSL certificate issue - 4402 vs 2504

Gunter
Level 1
Level 1

Hello Everyone

I have a problem with upload new SSL certificate to my anchor WLC. Controller is old - 4402 with the newest available software. During the download certificate I get en error - from the GUI I get information "File transfer failed!" but this is not true because file was downloaded correctly. I've check what I can got from the CLI - I enabled debugging to have better overview what is going one - this is what I got:

(anchor) >transfer download start

Mode............................................. TFTP
Data Type........................................ Site Cert
TFTP Server IP................................... 10.70.164.136
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ /
TFTP Filename.................................... finall-all-certs-oneyear2017.pem

This may take some time.
Are you sure you want to start? (y/N) y
*TransferTask: Jun 09 20:26:05.920: Memory overcommit policy changed from 0 to 1
*TransferTask: Jun 09 20:26:06.066: RESULT_STRING: TFTP Webauth cert transfer starting.
TFTP Webauth cert transfer starting.
*TransferTask: Jun 09 20:26:06.067: RESULT_CODE:1
*emWeb: Jun 09 20:26:08.921: Still waiting!  Status = 2
*TransferTask: Jun 09 20:26:10.072: Locking tftp semaphore, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
*TransferTask: Jun 09 20:26:10.073: Semaphore locked, now unlocking, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
*TransferTask: Jun 09 20:26:10.073: Semaphore successfully unlocked, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
*TransferTask: Jun 09 20:26:10.074: TFTP: Binding to local=0.0.0.0 remote=10.70.164.136
*TransferTask: Jun 09 20:26:10.113: TFP End: 7746 bytes transferred (0 retransmitted packets)
*TransferTask: Jun 09 20:26:10.114: tftp rc=0, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
                                                                                                                   pLocalFilename=cert.p12
*TransferTask: Jun 09 20:26:10.114: RESULT_STRING: TFTP receive complete... Installing Certificate.
*TransferTask: Jun 09 20:26:10.115: RESULT_CODE:13

TFTP receive complete... Installing Certificate.
*emWeb: Jun 09 20:26:11.920: Still waiting!  Status = 2
*TransferTask: Jun 09 20:26:14.115: Adding cert (7682 bytes) with certificate key password.
*TransferTask: Jun 09 20:26:14.118: sshpmAddWebauthCert: Extracting private key from webauth cert and using bundled pkcs12 password.
*TransferTask: Jun 09 20:26:14.123: sshpmDecodePrivateKey: private key decode failed...
*TransferTask: Jun 09 20:26:14.126: sshpmAddWebauthCert: key extraction failed.
*TransferTask: Jun 09 20:26:14.127: RESULT_STRING: Error installing certificate.
*TransferTask: Jun 09 20:26:14.127: RESULT_CODE:12
*TransferTask: Jun 09 20:26:14.127: ummounting: <umount /mnt/download/ >/dev/null 2>&1>  cwd  = /mnt/application
*TransferTask: Jun 09 20:26:14.172: finished umounting
*TransferTask: Jun 09 20:26:14.434: Memory overcommit policy restored from 1 to 0

Error installing certificate.

It's look like there is a problem with private key but when I download this certificate to 2504 with the code 8.0.x there is no problem at all

This is what I got on the 2504:

(test) >transfer download start

Mode............................................. TFTP
Data Type........................................ Site Cert
TFTP Server IP................................... 10.70.164.136
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ /
TFTP Filename.................................... finall-all-certs-oneyear2017.pem

This may take some time.
Are you sure you want to start? (y/N) y
*TransferTask: Jun 09 16:31:55.295: Memory overcommit policy changed from 0 to 1
*TransferTask: Jun 09 16:31:55.295: RESULT_STRING: TFTP Webauth cert transfer starting.
TFTP Webauth cert transfer starting.
*TransferTask: Jun 09 16:31:55.295: RESULT_CODE:1
*TransferTask: Jun 09 16:31:59.297: Locking tftp semaphore, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
*TransferTask: Jun 09 16:31:59.381: Semaphore locked, now unlocking, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
*TransferTask: Jun 09 16:31:59.381: Semaphore successfully unlocked, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
*TransferTask: Jun 09 16:31:59.382: TFTP: Binding to remote=10.70.164.136
*TransferTask: Jun 09 16:31:59.889: TFP End: 7746 bytes transferred (0 retransmitted packets)
*TransferTask: Jun 09 16:31:59.889: tftp rc=0, pHost=10.70.164.136 pFilename=/finall-all-certs-oneyear2017.pem
                                                                                                                   pLocalFilename=cert.p12
*TransferTask: Jun 09 16:31:59.890: RESULT_STRING: TFTP receive complete... Installing Certificate.
TFTP receive complete... Installing Certificate.
*TransferTask: Jun 09 16:31:59.890: RESULT_CODE:13
*TransferTask: Jun 09 16:32:03.894: Adding cert (7682 bytes) with certificate key password.
*TransferTask: Jun 09 16:32:09.043: RESULT_STRING: Certificate installed.
                                                                           Reboot the switch to use new certificate.
*TransferTask: Jun 09 16:32:09.043: RESULT_CODE:11

Certificate installed.

Do you have any idea what's going on? I will be appreciated for your answers.

7 Replies 7

Prateek Saxena
Cisco Employee
Cisco Employee

Looks like certificate encryption problem. Is it a SHA2 certificate?

Yes it is.

Can you confirm the WLC code and openssl version you used to create the certificate?

WLC code is 7.0.252 (the newest available for 4400), I'm not sure what openSSL was used to create certificate because I did do this - I had a problem with my OpenSSL so I asked my collage to do this. He used OpenSSL from his LAB load balancer F5 :).

We need to verify the version of openSSL as if we are using version more than 1.x then I'll expect this not to work on 7.0

Version of the OpenSSL:

OpenSSL 1.0.1l-fips 15 Jan 2015

What do you think about this? Is this is the root cause of my problem? If yes then please tell me why?

This is due to the security updates in OpenSSL release 1.0 Kindly go through the change document for the same. Anyways refer the cisco document below:

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

  1. Note: OpenSSL Version 0.9.8 is the recommended version for old WLC releases; however, as of Version 7.5, support for OpenSSL Version 1.0 was also added (refer to Cisco bug ID CSCti65315 - Need Support for certificates generated using OpenSSL v1.0) and is the recommended version to use. OpenSSL 1.1 works was also tested and works great on 8.x and later WLC releases.

Review Cisco Networking for a $25 gift card