Firefox (or most browsers) are not great to test proper certificate chaining, unless you can reproduce the issue first with a non-chained certificate. Reason for that is that most browsers will add intermediate certificates to their local database, and if they have seen an intermediate once, the next time you get a certificate that is unchained, but is using the same intermediates, it will retrieve those from the local database and accept those as if they were sent as part of the chain.
If you have your system internet reachable, an online check like with
ssllabs will help, if it is internal, I use openssl for the same:
$ openssl s_client -showcerts -connect 192.168.31.15:4343
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.arubalab.com
verify return:1
---
... where you can see each of the intermediates... and if you continue the output, it will show the actual certs.
When I remove the chaining, the openssl output will be:
$ openssl s_client -showcerts -connect 192.168.31.15:4343
CONNECTED(00000003)
depth=0 CN = *.arubalab.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.arubalab.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
In Firefox, the page still looks 'Secure' as it has seen the intermediates, and cached. You can remove those from the preferences, but for reliable testing, I would recommend another tool than a browser.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 16, 2021 01:00 PM
From: Alex Sharaz
Subject: Multi controller clearpass guest service ... captive portal cert question
What I did was to build a pkcs12 file of the cert and all the intermediates and upload that to the controller … oops …. Conductor (sigh!)
I also use the same cert for web and captive portal
From Firefox can check and see that the. Fill chain from cert CN to root CA is present
Rgds
Alex
Sent from my iPhone
Original Message:
Sent: 9/16/2021 12:34:00 PM
From: NH20
Subject: RE: Multi controller clearpass guest service ... captive portal cert question
Hello,
I'm having an issue with my cert. The redirect is using the new captive portal cert with the same name; however, I'm now receiving a cert error on the clients. I get the error, "The issuer of this certificate could not be found." I do see the new cert being listed and it does list the issuer; however, it also says the issuer could not be verified. Would this be a problem with the intermediate cert?
I chained the intermediate cert to the Server cert as a PEM. When viewing the cert on the controllers, it does show the proper issuer, Digicert.
Oddly enough, some devices never received the error. We had 8 surfaces, 6 received the error, 2 did not.
NOTE: I did open a TAC case, and when testing a device, during our troubleshooting, I used IE so I could "Proceed to insecure site" and it would allow me to connect. We then changed the cert name it was listed as on the controllers and when I reconnected on that device, I no longer received the error, so I thought that had fixed it; however, as I later came to find, many other devices still had the issue.
Thanks,
Nate
Original Message:
Sent: Sep 16, 2021 05:49 AM
From: Alex Sharaz
Subject: Multi controller clearpass guest service ... captive portal cert question
o.k never mind :-)
configured the web interface on a controller and yes Can see the full certification path
A
Original Message:
Sent: 9/16/2021 5:46:00 AM
From: alexs-nd
Subject: RE: Multi controller clearpass guest service ... captive portal cert question
:- vi is your friend
o.k. so generated a pics file have used openssl to check that its got the cert and both the intermediate CAs in there ….
so when I upload it onto the controller and click in view, it only shows the cert and the issuing intermediate CA.
Is there any way to convince myself that the controller actually has both of the intermediate GAs in there .. other than applying it to the web interface and checking in the browser ?
A
Original Message:
Sent: 9/16/2021 5:32:00 AM
From: Herman Robers
Subject: RE: Multi controller clearpass guest service ... captive portal cert question
Yes. Either of them should work; but I referred to concatenated pem as that is the easiest to create (for me, an old-schooler with a simple text editor).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 15, 2021 01:28 PM
From: Alex Sharaz
Subject: Multi controller clearpass guest service ... captive portal cert question
So we talking concatenated pem or pkcs12 ?
A
Original Message:
Sent: 9/15/2021 9:55:00 AM
From: Herman Robers
Subject: RE: Multi controller clearpass guest service ... captive portal cert question
You should import the chained certificate, so the server certificate and all intermediates up to the root in a single file. Root should not be included.
This is different from ClearPass where you upload the intermediates separately.
You found already where to apply it.
Note that if you change the cert name, the URL for posting the credentials will change, and if you use ClearPass as an external captive portal the name should be changed there as well in the Weblogin page.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 15, 2021 08:30 AM
From: Alex Sharaz
Subject: Multi controller clearpass guest service ... captive portal cert question
Hi,
I have inherited a multi( 6.5 ) mobility controller service running clearpass guest
I've just noticed
1). Only the captive portal cert is installed on the controllers ... would have thought we'd also install the CA chain as well.
2). The cert expires in 5 days time.!
Know where to go to upload the cert and CA chains on the controller, but as the new cert name is going to be different, where do I specify using the new cert instead of the old one.?
------------------------------
Alex Sharaz
------------------------------