Controllerless Networks

 View Only
last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Certificate stuck in system.

This thread has been viewed 28 times

  • 1.  Certificate stuck in system.

    Posted May 04, 2022 05:16 PM

    Hello all,

    So I've got a certificate stuck in one (maybe more) of my clusters. I've been trying to figure out how to get it out but I just can't do it.  The certificate is from two cycles ago now, so it expired in 2021. I've successfully changed my captured portal certificate to the new one - but have not tested it but I cannot do so for the web UI.  Every time I try to do it via the web, I get serious issues! The browser immediately tells me it cannot work with the site or it can't agree on ciphers. Sorry I don't remember the exact wording.  If I them cluster I can get back in.  

    I tried via the terminal but nothing I throw at it sticks. 

    I tried clear-cert all, I cannot because it tells me certs are assigned. It only names the newest cert
    I tried assigning the new cert by terminal but it doesn't work:

    config
wlan cert-assignment-profile
pki-cert-assign application ui cert-type server certname Star_22
exit
exit
write memory


    Or basically the same but "no pki-cert assign application ui cert-type server" 

    Still uses the very old certificate. 

    This certificate was put on with an older firmware and it has no name. If I show cert all, it's listed but if I show assigned certs it's not. 


    Any ideas? 
    ------------------------------
    Stuart Taylor
    ------------------------------


  • 2.  RE: Certificate stuck in system.

    EMPLOYEE
    Posted May 04, 2022 08:50 PM
    you can do it through CLI but don't use "write mem", Instead use "commit apply"

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: Certificate stuck in system.

    Posted May 05, 2022 08:25 AM
    Thanks for the tip!

    I admit I do not use the CLI much and was bringing over what I know from CX and older HP OS work.  So I tried using commit apply and I get a
    Invalid cert_type parameter... If I go to commit either a change of the cert, "pki-cert-assign application ui cert-type server certname Star_22" or removal of cert, "no pki-cert-assign application ui cert-type server" Neither give an error in the config context but trying to save give the mentioned error.  

    Also I find that if I get out of the config context and use "show uicert" It still shows the old cert that expired in 2021 no matter what I do.


    ------------------------------
    Stuart Taylor
    ------------------------------

    Original Message


  • 4.  RE: Certificate stuck in system.
    Best Answer

    EMPLOYEE
    Posted May 06, 2022 06:57 PM
    so if you have already upload the PEM formatted certificate as your captive portal, you can also use it as your UI server cert.
    just add it as shown here.  remember you can remove the older certificates.

    !
    wlan cert-assignment-profile
    pki-cert-assign application captive-portal cert-type ServerCert certname IAPcert
    pki-cert-assign application ui cert-type ServerCert certname IAPcert
    !

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 5.  RE: Certificate stuck in system.

    Posted May 09, 2022 08:47 AM
    So that's the thing, the cp takes the new certificate just fine. the ui will not. It's holding on to a certificate two years old! (they're only good for one year)  I try to assign the new cert in the web and immediately the browser says "ERR_SSL_VERSION_OR_CIPHER_MISMATCH." 

    The old cert was uploaded on an older firmware, there is no name associated with it. By command line I can neither get it to let go of the old one, assign the new one, or clear it as it's assigned. 

    UGH!  I feel like an idiot. 
    I've been doing:
    pki-cert-assign application ui cert-type server certname Star_22
    instead of
    pki-cert-assign application ui cert-type servercert certname Star_22

    This does not trigger an error as an invalid or incomplete command. Only until you try to commit apply do you get an error.  

    This work with the correct command. 

    Thanks.

    EDIT: HOLY GEEZE!  CASE MATTERS IN THAT COMMAND!  I'm just shocked because I've not run into that before, even with the little *nix work I've done, files yes, commands no. 

    ------------------------------
    Stuart Taylor
    ------------------------------

    Original Message