ArubaOS and Controllers

Reply
Frequent Contributor I
Posts: 64
Registered: ‎11-10-2009

Using certificate to protect SSL WebUI without warnings

Hello,

I can successfully upload a signed certificate to the controller to secure access to https://aruba-master... and this works fine.

However, if I do some things - like go to 'All Access Points' and pick one, I get sent to 'https://p.q.r.s/...' (where p.q.r.s is the IP address of the controller handling that AP) and get a certificate warning from my browser.

Is there any way to resolve this, or do I just have to put an exception in to accept the certificate(s) used by the local controllers by IP address?

I get a similar situation when browsing to the standby controller handling 'aruba-master...' and have to accept that warning.

I'm running 3.3 of Aruba OS. Thanks for any help,

- Bob
Guru Elite
Posts: 21,259
Registered: ‎03-29-2007

Entering the IP address

Bob,

There are a number of reasons why that could be happening. That could be that you are referring to the controller by a URL that does not match his certificate. If you reach it via IP address, that does not match what is on the certificate. Examine what the message says, then post it here.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 64
Registered: ‎11-10-2009

Re: Using certificate to protect SSL WebUI without warnings

I'm starting by browsing to the VRRP-protected https://aruba-master.../ and don't get any warnings because the certificate CN matches the hostname in the URL.

However, if I select Monitoring → Network: All Access Points then hover over an access point name, the URL I'm going to open changes to the IP address of that specific controller (https://131.111.p.q/) even though that's actually the same controller. Does the same thing happen for you?

I can understand why that's happening (if we had local controllers and suchlike, I guess the URL would have the IP address of the local controller handling that AP), but it causes the certificate error because the certificate name will still be 'aruba-master...' but the URL I'm visiting has an IP address in.

I imagine, to solve this, each controller would need a local certificate for its own name AND the master controller would need to know that the local controllers (including itself, if it's supporting APs) would need to be referred to in the WebUI, when creating links, as https://controller1.../ rather than by IP address.

What do other people do? Do they just accept the warnings, when clicking on the links to AP monitoring; do they just not do that kind of thing?

Or am I missing something really basic about setting this up?
Occasional Contributor I
Posts: 7
Registered: ‎01-20-2010

Re: Using certificate to protect SSL WebUI without warnings

We had the same issue when we changed our network configuration to a different IP range for the Aruba Controllers. For the past couple of years we have just dealt with it. But now that you ask I am curious to find what other people have come up with.
Guru Elite
Posts: 21,259
Registered: ‎03-29-2007

Cert Mismatch.

Each access point in the database has a pointer to the last controller that he was connected to, and that is an ip address, not a hostname. The list you are referring to creates the link from this database, so the controller that it points to is always the ip address of the last controller. The link redirects you to the correct controller so that you can inspect details on that access point.

It is good that you see a certificate message, so that you are alerted to the fact that you may or may not be on the same host that you started with.

If you take a look at the certificate when you have the problem and just accept it, you should not have the problem anymore.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 64
Registered: ‎11-10-2009

Re: Using certificate to protect SSL WebUI without warnings

Yep - I think there's no solution to avoid warning-free browsing without having to accept some certificates first.

I think what I'll do is install a signed certificate for 'aruba-master...' on all of my controllers (I currently only have a pair of master/backup) and just acknowledge the warning for each one, when I connect for the first time.

If I ever get any local controllers, I'll probably install ones with names specific to them.

Thanks for your help.
Contributor I
Posts: 49
Registered: ‎01-20-2010

Re: Using certificate to protect SSL WebUI without warnings

When creating your certificate, you should be able to add the IP address of your controller as an alias. So the certificate should contain

aruba-master without domain
aruba-master with domain
IP address

This way you will get rid of the error messages.

Regards
Dirk
Contributor II
Posts: 39
Registered: ‎01-16-2010

Subject Alternate Name


When creating your certificate, you should be able to add the IP address of your controller as an alias. So the certificate should contain

aruba-master without domain
aruba-master with domain
IP address

This way you will get rid of the error messages.

Regards
Dirk




The field you are looking for is the Subject Alternate Name (SAN). That field will allow you list list additional names as vieregg mentioned above. (See http://www.digicert.com/subject-alternative-name-compatibility.htm for some notes about that. I'm sure other cert providers will let you do SANs also, I just happen to know about this one since it's who we use.)
Search Airheads
Showing results for 
Search instead for 
Did you mean: