Solved: Re: Webauth Certificate install problem wlc 5508 - Page 2

PawelKozerski55944 · ‎12-04-2019

Hello

I have a problem with install a new webauth certificate on wlc 5508.

I created a new file like in this document:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

From Gui and from cli when i try to download and install it i got an success information.

File transfer operation completed successfully. For Certificates to take effect and SSL to work, you need to reboot system. Click Here to get redirected to reboot page.

After reboot of the controller i still see an old certyficate.

When i was enabled an debug i got something like that, but still dont know what is the cause and why new certificate is not installed correctly.

*TransferTask: Dec 03 13:33:43.187: Memory overcommit policy changed from 0 to 1

*TransferTask: Dec 03 13:33:43.187: RESULT_STRING: TFTP Webauth cert transfer starting.


TFTP Webauth cert transfer starting.
*TransferTask: Dec 03 13:33:43.187: RESULT_CODE:1

*TransferTask: Dec 03 13:33:47.222: TFTP: Binding to remote=192.168.40.100

*TransferTask: Dec 03 13:33:47.276: TFP End: 12043 bytes transferred (0 retransmitted packets)

*TransferTask: Dec 03 13:33:47.276: tftp rc=0, pHost=192.168.40.100 pFilename=WLAN5508/final_5508.pem
        pLocalFilename=cert.p12

*TransferTask: Dec 03 13:33:47.333: RESULT_STRING: TFTP receive complete... Installing Certificate                                                              .

*TransferTask: Dec 03 13:33:47.333: RESULT_CODE:13


TFTP receive complete... Installing Certificate.
*TransferTask: Dec 03 13:33:51.335: Adding cert (11947 bytes) with certificate key password.

*TransferTask: Dec 03 13:33:51.335: Add WebAuth Cert: Adding certificate & private key using password PASSWORD
*TransferTask: Dec 03 13:33:51.335: Add ID Cert: Adding certificate & private key using password PASSWORD
*TransferTask: Dec 03 13:33:51.336: Add Cert to ID Table: Adding certificate (name: bsnSslWebauthCert) to ID table using password PASSWORD
*TransferTask: Dec 03 13:33:51.336: Add Cert to ID Table: Decoding PEM-encoded Certificate (verify: YES)
*TransferTask: Dec 03 13:33:51.336: Decode & Verify PEM Cert: Cert/Key Length was 0, so taking string length instead
*TransferTask: Dec 03 13:33:51.336: Decode & Verify PEM Cert: Cert/Key Length 11947 & VERIFY
*TransferTask: Dec 03 13:33:51.365: Decode & Verify PEM Cert: X509 Cert Verification return code: 1
*TransferTask: Dec 03 13:33:51.365: Decode & Verify PEM Cert: X509 Cert Verification result text: ok
*TransferTask: Dec 03 13:33:51.367: Add Cert to ID Table: Decoding PEM-encoded Private Key using password PASSWORD
*TransferTask: Dec 03 13:33:51.369: Add Cert to ID Table: Adding cert & key to ID cert table; current/max: 5/8
*TransferTask: Dec 03 13:33:51.369: sshpmGetIdCertIndex: called to lookup cert >bsnSslWebauthCert<

*TransferTask: Dec 03 13:33:51.370: sshpmGetIdCertIndex: found match in row 4

*TransferTask: Dec 03 13:33:51.370: Add Cert to ID Table: Deleting bsnSslWebauthCert (row 4) from ID cert table
*TransferTask: Dec 03 13:33:51.370: Free Row in ID Table: Freeing OpenSSL cert (X509 fn: 0x2ac498c8 | DER fn: 0x2ab7e3c8) from ID cert table (row 4)
*TransferTask: Dec 03 13:33:51.370: Free Row in ID Table: Freeing OpenSSL key (EVP_PKEY fn: 0x2ac32030 | DER fn: 0x2ab7e3c8) from ID cert table (row 4)
*TransferTask: Dec 03 13:33:51.371: Add Cert to ID Table: Adding new bsnSslWebauthCert cert & key to row 4 of ID cert table
*TransferTask: Dec 03 13:33:51.371: Add ID Cert: Writing DER-encoded ID cert to file /mnt/application/bsnSslWebauthCert.crt
*TransferTask: Dec 03 13:33:51.371: sshpmWriteCredentialFile: called to write </mnt/application/bsnSslWebauthCert.crt>; certptr 0x2c49c8f0, length 1533

*TransferTask: Dec 03 13:33:51.372: Add ID Cert: Writing DER-encoded ID private key to file /mnt/application/bsnSslWebauthCert.prv
*TransferTask: Dec 03 13:33:51.372: sshpmWriteCredentialFile: called to write </mnt/application/bsnSslWebauthCert.prv>; certptr 0x2c49d124, length 1192

*TransferTask: Dec 03 13:33:51.373: Add ID Cert: Unlinking previously created ID PEM-encoded PKCS12 file webauth_p12.pem
*TransferTask: Dec 03 13:33:51.374: Add ID Cert: Created PEM-encoded ID PKCS12 file webauth_p12.pem
*TransferTask: Dec 03 13:33:51.374: RESULT_STRING: Certificate installed.
             Reboot the switch to use new certificate.


*TransferTask: Dec 03 13:33:51.374: RESULT_CODE:11

*TransferTask: Dec 03 13:33:51.376: Memory overcommit policy restored from 1 to 0


Certificate installed.
                        Reboot the switch to use new certificate.


(Cisco Controller) >

patoberli · ‎12-10-2019

I suggest to open a TAC, or maybe somebody else can recommend something. I'm a bit out of ideas.

You did test it with a different PC?

patoberli · ‎12-10-2019

Have you used OpenSSL 1.x or the older 0.9x? I think to remember that the 5508 didn't like OpenSSL 1.x created certificates.

PawelKozerski55944 · ‎12-12-2019

I was used 0.98y OpenSSL

TsvetanVladimirov81607 · ‎12-13-2019

Pawel,

After enabling secure web and generated the local certificate did you reboot the WLC?
Usually the WLC need to be rebooted in order to take effect.

The newer browsers sometimes react like this on devices, that do not present any or the proper certificate.
I had a similar behavior. You can use the WebAuth certificate (If it is a wildcard) to install it in Management-> HTTP-HTTPS and Download the SSL certificate. For this one actually you shouldn't need the chain certificate, only the signed one without the root and intermediate but the WLC should accept it as a chain as well.
Then reload the WLC and It should start working.

PawelKozerski55944 · ‎01-08-2020

I restarted the controller many times without effect.

I dont have an wildcart certifitace.

TsvetanVladimirov81607 · ‎01-08-2020

Hey,

Is the WLC in SSO HA Pair or a standalone unit?

Where do you see the old Cert? Is is when a user is connecting or when you login in the GUI of the WLC?
When you go to Security-Webauth-Certificate you should see the new certificate there. Check it and if it is the new one there, then there is a configuration issue which you should overcheck with the DNS server or the Virtual Interface configuration on the WLC.

Hope this helps!

Cheers!

PawelKozerski55944 · ‎01-09-2020

I have two the same controller 5508, both configured only with Mobility Group. When i uploaded an old certificate i see it when user is trying to connect to the network and the captive portal is opening for him to enter the username and the password. When i uploaded the new certificate i see him in Security-Webauth-Certificate and i see that is valid.
After uploaded a new certificate and reload i cant login by the GUI to the WLC by https. I can log only by http, even if HTTPS option is enabled. Also after that i saw when i have a new certificate when the user try to connect to the SID the captive portal page is not opening at all. When i upload the old certyficate everything starts working properly. Then i have only information that the certificate expired but the page i loading properly.

patoberli · ‎01-09-2020

Have you changed anything in regards to key size or encryption between the two certificates?

PawelKozerski55944 · ‎01-09-2020

No i dont changed anything at the begining. I was downloaded an new certificate and only replaced value from the old to the new when i created All-certs.pem from this instruction https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
The certificate was created by the same company, so i dont even dont need to changed the CA certificate
But if i try to create like in this instruction i got an error. I was able to create and upload to the WLC certificate from below instruction:

Thank you for your advice.

I have done some playing around and have found the solution to my problem, hopefully it will help the others as well.

The issue seems to be the format of the final PEM file being uploaded.

The controller seems to be expecting a file in the following format..

-----BEGIN CERTIFICATE-----

Device cert

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Intermediate cert

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Root Cert

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,

-----END RSA PRIVATE KEY-----

But the version of OpenSSL I was using ended up in this format....

Bag Attributes

-----BEGIN CERTIFICATE-----

Device Cert

-----END CERTIFICATE-----

Bag Attributes:

-----BEGIN CERTIFICATE-----

Intermediate Cert

-----END CERTIFICATE-----

Bag Attributes:

-----BEGIN CERTIFICATE-----

Root Cert

-----END CERTIFICATE-----

Bag Attributes

-----BEGIN ENCRYPTED PRIVATE KEY-----

Private key

-----END ENCRYPTED PRIVATE KEY-----

So using the command OpenSSL>rsa -in mykey.pem -des3 -out keyout.pem

I encrypted the private key using Triple DES, it prompted for a passphrase.

I did not then run the pkcs12 commands, but combined the certs and key myself.

Creating a new file in notepad I pasted the X509 certs from Thawte, followed by the contents of keyout.pem in the format..

-----BEGIN CERTIFICATE-----

Device cert

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Intermediate cert

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Root Cert

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,

-----END RSA PRIVATE KEY-----

I saved the file as final.pem

Setting the certpassword parameter as the pass phrase used in the DES3 encryption.

The upload then worked as expected.

I'm guessing the issue is down to a different version of OpenSSL being used.

PawelKozerski55944 · ‎02-26-2020

I generated a new csr by this command

req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

and reissue the certificate. After that i was able to create a final.pem file by using this command

pkcs12 -export -in All-certs.pem -inkey mykey.pem 
       -out All-certs.p12 -clcerts -passin pass:check123 
       -passout pass:check123

openssl>pkcs12 -in All-certs.p12 -out final.pem 
       -passin pass:check123 -passout pass:check123

but after that i got an error while uploading file:

*TransferTask: Feb 26 10:30:48.855: Add Cert to ID Table: Adding certificate (name: bsnSslWebauthCert) to ID table using password check123
*TransferTask: Feb 26 10:30:48.855: Add Cert to ID Table: Decoding PEM-encoded Certificate (verify: YES)
*TransferTask: Feb 26 10:30:48.855: Decode & Verify PEM Cert: Cert/Key Length was 0, so taking string length instead
*TransferTask: Feb 26 10:30:48.855: Decode & Verify PEM Cert: Cert/Key Length 7628 & VERIFY
*TransferTask: Feb 26 10:30:48.861: Decode & Verify PEM Cert: X509 Cert Verification return code: 0
*TransferTask: Feb 26 10:30:48.861: Decode & Verify PEM Cert: X509 Cert Verification result text: unable to get local issuer certificate
*TransferTask: Feb 26 10:30:48.861: Decode & Verify PEM Cert: Error in X509 Cert Verification at 0 depth: unable to get local issuer certificate
*TransferTask: Feb 26 10:30:48.863: Add Cert to ID Table: Error decoding (verify: YES) PEM certificate
*TransferTask: Feb 26 10:30:48.863: Add ID Cert: Error decoding / adding cert to ID cert table (verifyChain: TRUE)
*TransferTask: Feb 26 10:30:48.863: Add WebAuth Cert: Error adding ID cert
*TransferTask: Feb 26 10:30:48.863: RESULT_STRING: Error installing certificate.

Scott Fella · ‎02-26-2020

Many times the issue is that you have to combine the root, all the intermediate ca’s and the device cert. From the guide:

1.
* Root certificate.pem
* Intermediate certificate.pem
* Device certificate.pem

Note: Make sure that the certificate is Apache-compatible with Secure Hash Algorithm 1 (SHA1) encryption.

2. Once you have all three certificates, copy and paste the contents of each .pem file into another file in this order:

------BEGIN CERTIFICATE------
*Device cert*
------END CERTIFICATE------
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Root CA cert *
------END CERTIFICATE------

3. Save the file as All-certs.pem.

-Scott
*** Please rate helpful posts ***

PawelKozerski55944 · ‎02-26-2020

Now i can only download certificate with SHA2 encryption. The company from we bought the certificate generate only SHA2.

Can it be a problem with install a new certificate?

Cristian Matei · ‎02-26-2020

Hi,

SHA2 certificates are supported as well, up to SHA256; for SHA512 not sure if support is yet there. This is confirmed by the logs you attached: seeing the "Decode & Verify PEM Cert:" message means that WLC is able to decode the cert, is able to understand the signature.

Based on the provided logs, what you're missing is the whole certificate chain, mainly the root certificate: "Decode & Verify PEM Cert: Error in X509 Cert Verification at 0 depth: unable to get local issuer certificate". Add that to the ".pem" file and you should be good to go.

Regards,

Cristian Matei.

Scott Fella · ‎02-26-2020

No that is not a problem. The doc is old.

-Scott
*** Please rate helpful posts ***

PawelKozerski55944 · ‎02-26-2020

The problem was in the Intermediate cert.I added two intermediate certificate and then i was able do upload the final file.

My final.pem looks like:

------BEGIN CERTIFICATE------
*Device cert*
------END CERTIFICATE------
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Root CA cert *
------END CERTIFICATE------

Thank You all for help.