Controllerless Networks

Reply
New Contributor
Posts: 4
Registered: ‎07-08-2015

Replacing CP Server Cert ; lose access to webGUI?

[ Edited ]

So my previous boss didn't see any need to replace the default cert in our iAPs, now along with some of you I'm dealing with the fallout related to the cert revocation.

 

I've got a new Public cert in .pem, and it has been uploaded to replace the default  CA and Server certs with no problem.  When I try to replace the CP Server it uploads correctly, and then I lose access to the WebGUI.

 

Network still online, I can SSH to the Virtual Controler, and clearing the new CP Server cert returns GUI access....what am I missing here?

 

Thanks in advance!
SSDD

Guru Elite
Posts: 21,265
Registered: ‎03-29-2007

Re: Replacing CP Server Cert ; lose access to webGUI?

If you can SSH in, I would type "show log system" to see what is happening.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎07-08-2015

Re: Replacing CP Server Cert ; lose access to webGUI?

Yeah, it's been a long day....

 

Anyway here is the error generated right about when I added the cert:


Sep 22 16:23:11  cli[1590]: <341005> <ERRS> |AP us-chi_il-ap1@10.5.240.71 cli|  failed to parse cp cert

 

There are also a number of Checksum errors that look like they are across all of the APs in this cluster.  Quick research says that is probably do to the configurations not being the same on all the APs in the cluster?

 

Sep 22 16:23:13 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.73, slave 45280 vs master 16741, error_cnt 1, recover_sent 0.


Sep 22 16:23:14 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.72, slave 45280 vs master 16741, error_cnt 6, recover_sent 0.


Sep 22 16:23:14 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.74, slave 45280 vs master 16741, error_cnt 3, recover_sent 0.


Sep 22 16:23:18 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.76, slave 45280 vs master 16741, error_cnt 4, recover_sent 0.


Sep 22 16:23:18 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.73, slave 45280 vs master 16741, error_cnt 2, recover_sent 0.


Sep 22 16:23:21 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.75, slave 45280 vs master 16741, error_cnt 1, recover_sent 0.


Sep 22 16:23:24 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.72, slave 45280 vs master 16741, error_cnt 7, recover_sent 0.


Sep 22 16:23:24 cli[1590]: <341289> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Sending full configuration to slave ip = 10.5.240.72, ap config dirty = 0 error cnt = 7


Sep 22 16:23:24 cli[1590]: <341199> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| send_config_init: send config to slave 10.5.240.72, using url 0, auto save disable 0.


Sep 22 16:23:25 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.74, slave 45280 vs master 16741, error_cnt 4, recover_sent 0.


Sep 22 16:23:26 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.75, slave 45280 vs master 16741, error_cnt 2, recover_sent 0.


Sep 22 16:23:28 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.76, slave 45280 vs master 16741, error_cnt 5, recover_sent 0.


Sep 22 16:23:28 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.73, slave 45280 vs master 16741, error_cnt 3, recover_sent 0.

 

Guru Elite
Posts: 21,265
Registered: ‎03-29-2007

Re: Replacing CP Server Cert ; lose access to webGUI?

I cannot comment on the checksum errors, but have you tried a different Cert?

 

You can use selfssl in the Microsoft Resource Kit to generate a Server Certificate:  https://helpforsure.wordpress.com/2011/01/23/howto-create-self-signed-certificate-via-selfssl-utility-included-in-iis-6-reskit-tools%E2%80%8F/ and then import it to the Instant AP to test.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎07-08-2015

Re: Replacing CP Server Cert ; lose access to webGUI?

Sorry I didn't follow up on this before, in the end a co-worker worked with Aruba, and the answer was that the chaining (order that the certificates in the .pem) was out of order.  Worked fine for the CA and the Auth server, but it broke the CP.

 

Anyway, if anyone sees this, check your cert chaining!

 

SSDD

Guru Elite
Posts: 8,636
Registered: ‎09-08-2010

Re: Replacing CP Server Cert ; lose access to webGUI?

Thanks for the update!

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: