Security

 View Only
last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

A7005 Error Uploading (valid) Certificate

This thread has been viewed 35 times
  • 1.  A7005 Error Uploading (valid) Certificate

    MVP
    Posted Dec 12, 2022 09:27 AM
    Trying to update the SSL certificate on my Aruba7005 controller running 6.5.4.24 code.

    I have a single SAN cert for both Clearpass and controller. Clearpass accepts my certificate without problem. 
    When trying to import the same pfx into the controller it always ends up with "Error Uploading Certificate: Incorrect password or error in certificate format.".

    Using OpenSSL to extract the cert and priv key from the .pfx and recreating it using OpenSSL v1.1.1q or 3.0.5 does not get me anywhere either.  Clearpass accepts it without problem, controller keeps throwing that error.
    I have tried a pfx with CA bundle included, pfx without CA but CA bundle uploaded in advance, uploading cert with SCP and then trying to import through CLI. Nothing seems to work .

    Controller is no longer under support, thus hoping for a clue about why the controller thinks the certificate is invalid.


  • 2.  RE: A7005 Error Uploading (valid) Certificate

    Posted Dec 12, 2022 09:34 AM
    The controller simply doesn't like the format of the certificate.  This needs to a trial an error until you find one that works.  That old of a controller on that old of a version of AOS may also have issues with SHA length.  Try SHA1 (broken) or one of the lower SHA2 hashes when getting the certificate signed.

    Of course, the real fix here is to replace the controller.


  • 3.  RE: A7005 Error Uploading (valid) Certificate

    MVP
    Posted Dec 12, 2022 10:30 AM
    Uch, hate to admit it, but I should have known that since I had to do the same last year..  Oops!

    That said.. replace the controller? You kidding? The 7005 controller is still for sale and fully supported. Nothing wrong with a 7005!
    The 6.5 version? Well, you aren't wrong there. :) Upgrades to Central are being considered.

    Anyway, again, thank you for the reminder!


  • 4.  RE: A7005 Error Uploading (valid) Certificate

    Posted Dec 12, 2022 10:56 AM
    Yes you are right!  I skipped over the model number in your previous post and took "Controller is no longer under support" to mean that was an EOL device that could not be upgraded any further. 

    "real fix" is to buy support and upgrade ;)



  • 5.  RE: A7005 Error Uploading (valid) Certificate

    MVP
    Posted Dec 12, 2022 12:11 PM
    I guess I don't have much choice if I don't want to spend several more hours on this.
    Creating the pfx as PBE-SHA1-3DES does not help. Trying to create it with legacy provider keeps throwing up errors.  sigh, upgrade it is I guess.


  • 6.  RE: A7005 Error Uploading (valid) Certificate
    Best Answer

    Posted Dec 13, 2022 06:16 AM
    There are more widespread issues with P12/PFX created by modern versions op OpenSSL. For me using the -legacy in the OpenSSL command to create the p12/pfx worked. Have not tried specifically for ArubaOS, but can imagine it's the same.

    As an alternative you could export your pfx to PEM and put key+cert+intermediates in a single pem file and import that.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: A7005 Error Uploading (valid) Certificate

    MVP
    Posted Dec 19, 2022 10:13 AM
    Thank you Herman!
    Like I said, couldn't get the -legacy working on my windows clients but combining all into a PEM is even easier and works apparently. My captive portal is working again.


  • 8.  RE: A7005 Error Uploading (valid) Certificate

    Posted Dec 07, 2023 11:22 AM

    We experienced the same problem and discovered that the solution was to make sure the password for the pfx file contains only letters and numbers (e.g., no spaces or special characters).  Posting this so that I'm reminded when I run into this again next year and find this post via Google....  ;-)