Solved: Re: Webauth Certificate install problem wlc 5508

PawelKozerski55944 · ‎12-04-2019

Hello

I have a problem with install a new webauth certificate on wlc 5508.

I created a new file like in this document:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

From Gui and from cli when i try to download and install it i got an success information.

File transfer operation completed successfully. For Certificates to take effect and SSL to work, you need to reboot system. Click Here to get redirected to reboot page.

After reboot of the controller i still see an old certyficate.

When i was enabled an debug i got something like that, but still dont know what is the cause and why new certificate is not installed correctly.

*TransferTask: Dec 03 13:33:43.187: Memory overcommit policy changed from 0 to 1

*TransferTask: Dec 03 13:33:43.187: RESULT_STRING: TFTP Webauth cert transfer starting.


TFTP Webauth cert transfer starting.
*TransferTask: Dec 03 13:33:43.187: RESULT_CODE:1

*TransferTask: Dec 03 13:33:47.222: TFTP: Binding to remote=192.168.40.100

*TransferTask: Dec 03 13:33:47.276: TFP End: 12043 bytes transferred (0 retransmitted packets)

*TransferTask: Dec 03 13:33:47.276: tftp rc=0, pHost=192.168.40.100 pFilename=WLAN5508/final_5508.pem
        pLocalFilename=cert.p12

*TransferTask: Dec 03 13:33:47.333: RESULT_STRING: TFTP receive complete... Installing Certificate                                                              .

*TransferTask: Dec 03 13:33:47.333: RESULT_CODE:13


TFTP receive complete... Installing Certificate.
*TransferTask: Dec 03 13:33:51.335: Adding cert (11947 bytes) with certificate key password.

*TransferTask: Dec 03 13:33:51.335: Add WebAuth Cert: Adding certificate & private key using password PASSWORD
*TransferTask: Dec 03 13:33:51.335: Add ID Cert: Adding certificate & private key using password PASSWORD
*TransferTask: Dec 03 13:33:51.336: Add Cert to ID Table: Adding certificate (name: bsnSslWebauthCert) to ID table using password PASSWORD
*TransferTask: Dec 03 13:33:51.336: Add Cert to ID Table: Decoding PEM-encoded Certificate (verify: YES)
*TransferTask: Dec 03 13:33:51.336: Decode & Verify PEM Cert: Cert/Key Length was 0, so taking string length instead
*TransferTask: Dec 03 13:33:51.336: Decode & Verify PEM Cert: Cert/Key Length 11947 & VERIFY
*TransferTask: Dec 03 13:33:51.365: Decode & Verify PEM Cert: X509 Cert Verification return code: 1
*TransferTask: Dec 03 13:33:51.365: Decode & Verify PEM Cert: X509 Cert Verification result text: ok
*TransferTask: Dec 03 13:33:51.367: Add Cert to ID Table: Decoding PEM-encoded Private Key using password PASSWORD
*TransferTask: Dec 03 13:33:51.369: Add Cert to ID Table: Adding cert & key to ID cert table; current/max: 5/8
*TransferTask: Dec 03 13:33:51.369: sshpmGetIdCertIndex: called to lookup cert >bsnSslWebauthCert<

*TransferTask: Dec 03 13:33:51.370: sshpmGetIdCertIndex: found match in row 4

*TransferTask: Dec 03 13:33:51.370: Add Cert to ID Table: Deleting bsnSslWebauthCert (row 4) from ID cert table
*TransferTask: Dec 03 13:33:51.370: Free Row in ID Table: Freeing OpenSSL cert (X509 fn: 0x2ac498c8 | DER fn: 0x2ab7e3c8) from ID cert table (row 4)
*TransferTask: Dec 03 13:33:51.370: Free Row in ID Table: Freeing OpenSSL key (EVP_PKEY fn: 0x2ac32030 | DER fn: 0x2ab7e3c8) from ID cert table (row 4)
*TransferTask: Dec 03 13:33:51.371: Add Cert to ID Table: Adding new bsnSslWebauthCert cert & key to row 4 of ID cert table
*TransferTask: Dec 03 13:33:51.371: Add ID Cert: Writing DER-encoded ID cert to file /mnt/application/bsnSslWebauthCert.crt
*TransferTask: Dec 03 13:33:51.371: sshpmWriteCredentialFile: called to write </mnt/application/bsnSslWebauthCert.crt>; certptr 0x2c49c8f0, length 1533

*TransferTask: Dec 03 13:33:51.372: Add ID Cert: Writing DER-encoded ID private key to file /mnt/application/bsnSslWebauthCert.prv
*TransferTask: Dec 03 13:33:51.372: sshpmWriteCredentialFile: called to write </mnt/application/bsnSslWebauthCert.prv>; certptr 0x2c49d124, length 1192

*TransferTask: Dec 03 13:33:51.373: Add ID Cert: Unlinking previously created ID PEM-encoded PKCS12 file webauth_p12.pem
*TransferTask: Dec 03 13:33:51.374: Add ID Cert: Created PEM-encoded ID PKCS12 file webauth_p12.pem
*TransferTask: Dec 03 13:33:51.374: RESULT_STRING: Certificate installed.
             Reboot the switch to use new certificate.


*TransferTask: Dec 03 13:33:51.374: RESULT_CODE:11

*TransferTask: Dec 03 13:33:51.376: Memory overcommit policy restored from 1 to 0


Certificate installed.
                        Reboot the switch to use new certificate.


(Cisco Controller) >

Scott Fella · ‎02-26-2020

Many times the issue is that you have to combine the root, all the intermediate ca’s and the device cert. From the guide:

1.
* Root certificate.pem
* Intermediate certificate.pem
* Device certificate.pem

Note: Make sure that the certificate is Apache-compatible with Secure Hash Algorithm 1 (SHA1) encryption.

2. Once you have all three certificates, copy and paste the contents of each .pem file into another file in this order:

------BEGIN CERTIFICATE------
*Device cert*
------END CERTIFICATE------
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Root CA cert *
------END CERTIFICATE------

3. Save the file as All-certs.pem.

-Scott
*** Please rate helpful posts ***

View solution in original post

patoberli · ‎12-04-2019

You don't see the new certificate after a reboot, right?
Because the installation indeed looks good.

What software is running on the WLC? Maybe you're hitting a bug.

PawelKozerski55944 · ‎12-06-2019

Yes, i dont see a new cerfiticate after reboot. I still have a valid old certificate but i dont think it's matter.

After reboot when i go to Web Authentication Certificate i see
Current Certificate:
valid:From Dec 15 13:36:41 2016 GMT Until Dec 15 13:36:41 2019 GMT

My software version is 8.3.143.0

patoberli · ‎12-06-2019

Process looks absolutely correct.
Can you validate once again that the file WLAN5508/final_5508.pem is indeed the new and not an old file?
Your uploaded cert is correctly chained?

Manual: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

PawelKozerski55944 · ‎12-09-2019

I'm shure that was new certificat. I found in the internet information how to create new certificate manually not using pkcs12 commands and it worked. I was able to upload new certificate and after reboot i have properly value of this certificate. Now i have another problem. I cant use https in gui only http. I disabled and enabled https, also genereted a new local certificate but it doesnt help. For now i can only use http protocol.

patoberli · ‎12-09-2019

What error message do you get in the browser?

PawelKozerski55944 · ‎12-09-2019

I got something like that:
This site is unreachable. Server has refused the connection.
ERR_CONNECTION_REFUSED

patoberli · ‎12-09-2019

Interesting, could you try it with a different browser? If you also get it, then the WLC doesn't like the certificate for the https process, for whatever reason.

PawelKozerski55944 · ‎12-09-2019

I checked on chrome, firefox and opera and on the all browser is the same result. I cant use https to login via GUI

patoberli · ‎12-09-2019

Under Management - HTTP HTTPS, can you enable/disable the following option and test again:
WebAuth SecureWeb

PawelKozerski55944 · ‎12-09-2019

It doesnt change anything. After disable/enable i still cant use https

patoberli · ‎12-10-2019

Under Management - http-HTTPS, you have the the "current certificate" listed, is that indeed the correct certificate you see there?

PawelKozerski55944 · ‎12-10-2019

In security->webauth->certificate i was uploaded a new ssl certificate for our domain (2019 to 2012). After that i cant use https. In Managment->http https i see other certificate "Locally Generated" ( Cisco Systems From Dec 9 23:00:01 2019 GMT Until Dec 9 23:00:01 2029 GMT). Earlier it looks the same and https was working.
Now i have https enabled and ERR_CONNECTION_REFUSED when i try to open an webadmin page.

patoberli · ‎12-10-2019

I'm a bit out of ideas, as I don't know why it isn't working for you. You could try to re-create the locally generated certificate, that's the one the GUI service uses.

PawelKozerski55944 · ‎12-10-2019

I tryed to create a new local certificate but this also dont change anything.

I have made a test and install old certificate and https starts working but when i installed the new certificate https stops working.