openssl s_client -showcerts -servername captiveportal-login.opitz-consulting.com -connect captiveportal-login.opitz-consulting.com:443
CONNECTED(00000005)
depth=0 C = DE, ST = Nordrhein-Westfalen, L = Gummersbach, O = OPITZ CONSULTING Deutschland GmbH, CN = *.opitz-consulting.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Nordrhein-Westfalen, L = Gummersbach, O = OPITZ CONSULTING Deutschland GmbH, CN = *.opitz-consulting.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Nordrhein-Westfalen/L=Gummersbach/O=OPITZ CONSULTING Deutschland GmbH/CN=*.opitz-consulting.com
i:/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
-----BEGIN CERTIFICATE-----
.
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/ST=Nordrhein-Westfalen/L=Gummersbach/O=OPITZ CONSULTING Deutschland GmbH/CN=*.opitz-consulting.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2360 bytes and written 371 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 38CA285C277306F20567906077C1B07163E9131ED1A9A0C0DCD5AFB964D1E828
Session-ID-ctx:
Master-Key: 4BC27DFEC3FE0B42003FC9071ACABCB997CFAE5C69991DABE4899FA6FE1D986CCAC6A68583781479DDE0AA4959EDBE59
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 92 fc 57 9f 98 5f 89 d4-9e bf c3 64 fa 48 7c b2 ..W.._.....d.H|.
0010 - a2 9a 9a 57 9f 33 a7 b9-35 96 d7 da 11 34 88 f4 ...W.3..5....4..
0020 - 68 2d 7c 3d 15 fa cd 81-d1 ca 80 0a 03 be 17 cd h-|=............
0030 - a0 e0 ff 16 2a c4 91 1a-e2 a4 50 80 58 82 bd 46 ....*.....P.X..F
0040 - 15 53 f8 07 ad be fa 27-a9 d7 be 6d ec d0 15 e4 .S.....'...m....
0050 - 4b 8d 81 89 b9 24 42 7a-6d 0d 4c ad 91 10 fc 0b K....$Bzm.L.....
0060 - e6 37 a5 4c 7d 8e da e3-1a 95 6f fd 21 f4 dc 51 .7.L}.....o.!..Q
0070 - 7f da 38 09 5f a5 ef 63-10 39 e0 1d 3c a5 09 67 ..8._..c.9..<..g
0080 - ad e0 88 ad e1 f1 22 f4-fd 80 1b 35 3f 12 71 b2 ......"....5?.q.
0090 - 45 f5 fa 46 2e d4 c3 74-f4 38 5f 4c 8a 97 f8 2c E..F...t.8_L...,
00a0 - bd a3 be a5 d7 1d 2b ba-04 a0 9e 59 45 d4 73 50 ......+....YE.sP
00b0 - d2 32 8a 4f 2a 7e d2 15-07 4d 29 f9 ea 12 96 93 .2.O*~...M).....
Start Time: 1614163906
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
(null) 400 Bad Request
Server:
Date: Wed, 24 Feb 2021 09:52:15 GMT
Cache-Control: no-cache,no-store,must-revalidate,post-check=0,pre-check=0
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=604800
Connection: close
<HTML>
<HEAD><TITLE>400 Bad Request</TITLE></HEAD>
<BODY BGCOLOR="#cc9999" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H4>400 Bad Request</H4>
Can't parse request.
<ADDRESS><A HREF="http://www.arubanetworks.com"></A></ADDRESS>
</BODY>
</HTML>
read:errno=0
------------------------------
Matthias Pohl
------------------------------
Original Message:
Sent: Feb 24, 2021 05:45 AM
From: Herman Robers
Subject: How to upload several Intermediate CA certificate
Your ClearPass is fine: Verify return code: 0 (ok).
If you open a browser to clearpass.opitz-consulting.com, I think it will open without any issues.
The error message you show is about captiveportal-login.opitz-consulting.com.
The issue seems to be in the certificate on the AP, which is the captiveportal-login. You may have missed an intermediate there.
Can you open the Trust and Details 'arrows' in the screenshot? And/or run the same openssl command with that captiveportal-login URL while still connected to the captive portal?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Feb 24, 2021 05:35 AM
From: Matthias Pohl
Subject: How to upload several Intermediate CA certificate
Correct, ClearPass works fine.
We use a wildcard certificate for HTTPS Server Certificate. Imported it via ClearPass GUI. This wildcard certificate is also used in IAPs as CaptivePortal Cert. I´ve uploaded the cert to AirWave and set it as Captive Portal Cert.
I can connect to our Guest-WLAN without problem with all devices, except MacBooks.
After logging in I get a certificate warning:
The openssl command creates the following output:
openssl s_client -showcerts -servername clearpass.opitz-consulting.com -connect clearpass.opitz-consulting.com:443
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = DE, ST = Nordrhein-Westfalen, L = Gummersbach, O = OPITZ CONSULTING Deutschland GmbH, CN = *.opitz-consulting.com
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Nordrhein-Westfalen/L=Gummersbach/O=OPITZ CONSULTING Deutschland GmbH/CN=*.opitz-consulting.com
i:/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
-----BEGIN CERTIFICATE-----
.
.
-----END CERTIFICATE-----
1 s:/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/ST=Nordrhein-Westfalen/L=Gummersbach/O=OPITZ CONSULTING Deutschland GmbH/CN=*.opitz-consulting.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4588 bytes and written 361 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: A071612C7ECE0B5AD0B3AC1D81A19822439DBD76B5D19687D7311B5410C43F0D
Session-ID-ctx:
Master-Key: 652D72BF95A2941305EFBCA601B90C9F969FCC377D6601B2995DE206F31071451F6478CA00D51A49FA345BDA3AF2FE5B
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 25 8e 75 17 7e 7c dc a0-66 e6 b1 0c e8 0c e1 b2 %.u.~|..f.......
0010 - d9 24 05 f4 b9 1e e1 07-92 59 8e d0 87 b1 e8 b3 .$.......Y......
0020 - d3 5a cf 3d 55 be 2c dc-a4 eb aa a4 de 67 4b ea .Z.=U.,......gK.
0030 - 77 a5 52 86 fc a8 ff 5f-8b 56 d3 10 2a 34 54 f5 w.R...._.V..*4T.
0040 - cd 53 7b 69 0e 48 f3 62-90 83 25 62 a5 1b d6 d8 .S{i.H.b..%b....
0050 - 4d 54 4b a9 ff 47 44 b5-d9 05 c1 0d bb d8 79 9d MTK..GD.......y.
0060 - 38 b5 bb 47 e1 12 b4 ff-ce ba ac 3b ee 16 43 b0 8..G.......;..C.
0070 - eb c4 38 90 3c 60 92 60-9d f5 74 36 93 0f 6a 63 ..8.<`.`..t6..jc
0080 - 4a 3d ce 4e 40 df bc b2-45 f7 84 2e c6 f6 d7 b5 J=.N@...E.......
0090 - 63 39 55 c9 ff 59 9e cf-1a c7 34 9c c5 e6 c2 eb c9U..Y....4.....
00a0 - eb 6c 9f 40 5f 63 e7 48-9f a6 18 66 e9 a1 c4 1b .l.@_c.H...f....
00b0 - 00 17 bd cc b9 7a 71 39-e8 5c 51 5a ea 2e 94 9b .....zq9.\QZ....
00c0 - d7 f7 58 09 e8 53 4c 1f-cd 56 6c 84 27 33 cf 91 ..X..SL..Vl.'3..
00d0 - 08 ba 31 42 1b 26 79 a6-74 f9 b2 40 fb f6 bb f3 ..1B.&y.t..@....
Start Time: 1614161421
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
HTTP/1.1 400 Bad Request
Date: Wed, 24 Feb 2021 10:10:30 GMT
Server: Apache
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
closed
------------------------------
Matthias Pohl
Original Message:
Sent: Feb 24, 2021 04:48 AM
From: Herman Robers
Subject: How to upload several Intermediate CA certificate
Let's split this in ClearPass and APs:
- ClearPass works fine from what I read
- Captive portal certificate upload to APs is where you have questions around.
Correct?
I assume that you have a different certificate for your APs and for ClearPass, or multi-SAN/wildcard to avoid name collision between CPPM and AP.
There is no need to upload the root as part of your chain. The root certificate should already be in your client device, and while sending the root as part of the chain is shown in some examples on the internet, it is deprecated to do so as it does not add any value but increases your overhead.
What kind of certificate do you have that has multiple intermediates? That is pretty rare. I can't remember having seen that before. For the APs, you create a PEM file with your cert, then the intermediates up to the root (root excluded).
What you could do on your MAC is using the browser to check the certificate and chain, or openssl:
openssl s_client -showcerts -servername www.example.com -connect www.example.com:443
That will display all certificates sent by the server, and also the trust status according to your MAC.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Feb 23, 2021 02:29 AM
From: Matthias Pohl
Subject: How to upload several Intermediate CA certificate
Hi everyone,
we´re setting up a new Guest Access with ClearPass (v6.9.2). Everything is working fine, except for one thing: On MacBooks the CaptivePortal login isn´t trusted.
The certificate is a public certificate. I´ve uploaded the Intermediate CA and the root CA to ClearPass, and the CP certificate includes the entire chain.
I´ve also uploaded the CP certificate to our IAPs (IAP335 and IAP305) (using AirWave v8.2.11.2).
How can I upload the Intermediate CA and the root CA? In AirWave i can only choose one Intermediate CA, but in our internal WLAN we use a different Intermediate CA. So how can I upload a second intermediate and a second root to the IAPs?
Kind regards
Matthias
------------------------------
Matthias Pohl
------------------------------