Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3991
Views
4
Helpful
30
Replies

WLC 9800 L installed wildcard certificate and can no longer access Gui

TRNHelp
Level 1
Level 1

‎04-30-2023 06:13 AM

I have a WLC9800 L.  I installed a wildcard cert and set a trust point. Now I cannot access the management via GUI.  I can still access via putty using the IP. I followed the Cisco documentation for installing the cert but Haven't found anything on the GUI issue after installing a wildcard cert.

I would appreciate any help on this issue.  

2 people had this problem
0 Helpful
30 Replies 30

docjb0221
Level 1
Level 1

‎04-30-2023 08:10 AM

What version of IOS are you running? There were some bugs with 17.3.5 around the web server and certs.
0 Helpful

TRNHelp
Level 1
Level 1
In response to docjb0221

‎05-01-2023 11:55 AM

Version 17.03.06

0 Helpful

marce1000
VIP
VIP

‎04-30-2023 08:56 AM

 

 - For starters have  a checkup-review of your 9800   controller (current)  configuration with the CLI command : show tech wireless  , have the output analyzed with : https://cway.cisco.com/wireless-config-analyzer
                                                  Always a good place to start when experiencing all sorts of trouble!

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Scott Fella
Hall of Fame
Hall of Fame

‎04-30-2023 09:48 AM

Either your browser is flagging the cert change as a security issue in which you need to fry to use a private window, or else since you have cli access, change the https to use a default trustpoint. If you have a backup configuration, you should see the certificate it was using. 

-Scott
*** Please rate helpful posts ***

Rich R
VIP
VIP

‎05-01-2023 09:59 AM

"Now I cannot access the management via GUI." - can you be more specific?
What exactly is the error, if any?  What do you see on a packet capture and browser trace?

Agree with Scott that it's quite likely a browser issue with change of cert rather than WLC issue.  As long as you've installed the cert correctly it should work.  Go back to basics - make sure the FQDN name you're using is in DNS, resolves to the WLC IP and matches the name on the cert.  Then use browser trace (F11), WLC debugs and packet captures to work out why it's not working.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

TRNHelp
Level 1
Level 1
In response to Rich R

‎05-01-2023 12:09 PM

Its a wildcard certificate we use for many things in our network. If I go back to the self-signed cert I can get back into the gui.  If I ping the controller by name it returns the correct Domain Name. 

The trustpoint has

Label - the name of the certificate  

Enrollment URL is still the default 

Then it has key Generated and Enroll trustpoint checked

0 Helpful

Rich R
VIP
VIP
In response to TRNHelp

‎05-01-2023 01:05 PM

You didn't answer the question!

When you say "Now I cannot access the management via GUI" - what exactly does that mean? Do you get an error message?  Do you get a certificate error?  Does the connection timeout?  Does the connection get rejected?  Have you done a browser trace?  Have you done a packet capture?  Have you done debugs on the WLC?  What do the WLC logs show?  Do you have a screenshot illustrating the problem?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

TRNHelp
Level 1
Level 1
In response to Rich R

‎05-02-2023 07:14 AM

I removed the trust points and the key pairs and brought the certificate in again. I didn't change the trust point under HTTP/HTTPS/Netconf and I can access via the GUI. Then I went into Web Auth - Global and changed the trust point. Now on my guest wireless when I try to connect I get this site can't be reached. Err_connection_reset
0 Helpful

Rich R
VIP
VIP
In response to TRNHelp

‎05-02-2023 07:27 AM

Did you do *any* of the things we suggested or you just ignored the whole lot?

There's no point asking questions if you just ignore the answers.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

TRNnHelp
Level 1
Level 1
In response to Rich R

‎05-02-2023 08:29 AM

Yes I change the https to use a default trust point per Scotts suggestion which allows me  to access via the GUI but still need assistance on getting the cert to work with Guest WIFI

0 Helpful

TRNnHelp
Level 1
Level 1
In response to Rich R

‎05-02-2023 08:33 AM

I have also run the Show Wireless tech but it shows 0 errors

 

0 Helpful

marce1000
VIP
VIP
In response to TRNHelp

‎05-02-2023 08:24 AM

 

                      >....Now on my guest wireless when I try to connect I get this site can't be reached. Err_connection_reset
                    - A bit confusing , are you saying you need GUI access from guest network (not good practice!) ,

 M.
  



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

TRNnHelp
Level 1
Level 1
In response to marce1000

‎05-02-2023 08:44 AM

I'm trying to get rid of the browser error that my  connection is not secure when Connecting to my Guest wireless.  So I have a certificate to get rid of that error but when I put in the trust point I cannot get to my  Internal page to logon with guest WIFI. Without the certificate I get that my Connection isn't secure but I can bypass that and get to my Guest page to logon. I hope that makes sense.

0 Helpful

marce1000
VIP
VIP
In response to TRNnHelp

‎05-02-2023 08:51 AM

 

                      - Post a screenshot of what you are seeing  , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card