I missed to add the link to ASE, but you found the command already to apply the certificate.
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 02, 2024 10:11 AM
From: Zerauskire
Subject: Certificate on old Aruba S2500 switch
I have since resolved this issue via the CLI but I'll provide responses to your statements below.
"You should apply the certificate after importing it. This ASE solution provides the instructions for the full process, and if you select Mobility Access Switch in the step 'Install' the commands to activate the certificate."
So I apologize for my ignorance here but I'm not entirely clear on what you mean when you say "select Mobility Access Switch in the step 'Install'". The only guide I'm aware of is the one I provided the link to and that isn't mentioned from what I see.
Here's the thing though... The Aruba S2500 can't run any firmware past "ArubaOS_MAS_7.4.1.12_72393" which doesn't seem to have the option in the GUI referenced in Step 3 of the guide I provided the link to. The guide states in Step 3 that you should apply the cert now that you've uploaded it by going under "Management > General" but that option doesn't exist in the GUI of the S2500. At least not that I can find. See image below.
The solution for me to apply the cert was that I had to actually go in to the CLI and apply it that way because that option does not exist in the GUI as far as I can tell. So i just had to drop in to conf t then run:
web-server
switch-cert <cert_name>
write memory
That was able to resolve that issue for me.
"The certificate that you showed is not the one from the advisory; it's already a self-signed one.
What's the reason for updating/changing the certificate?"
One would think by looking at it that this was accurate. It looks like a perfectly good certificate that wouldn't have any issues but that's not the case. For some reason Chrome, Edge, Chromium, and multiple other browsers have issues with this certificate and will not allow you to access the GUI because of it. They will just give you the error "ERR_SSL_KEY_USAGE_INCOMPATIBLE" and prevent you from going any further. The only way you can access the GUI of the S2500 is to do 1 of 3 things
- Use a browser that warns about this certificate but still allows you to proceed which would be Firefox.
- Replace the certificate with a new self-signed one or a legit signed one.
- Use Reverse Proxy with a real certificate and point to the switch.
This makes setting up the S2500 a bit of a headache if you're not aware of these issues. Once you can get the new self-signed certificate loaded though, you can then use Chrome, Edge, or any other browser. You still get the warning about it being a self-signed certificate but you can acknowledge the warning and still get in.
In the end my issue is resolved and I'm now able to get in to the GUI with the self-signed cert I generated. That guide I referenced just doesn't seem to apply to the GUI options available in the S2500 running "ArubaOS_MAS_7.4.1.12_72393". I do not have all the options available to me in the GUI that are displayed in the screenshot of "Step 3". There is no "Management > General" option. So it seems for the S2500 unless I'm missing some way to enable more options in the GUI, the only way to apply the cert after uploading it is to go in the the CLI and apply it.
Original Message:
Sent: May 02, 2024 07:34 AM
From: Herman Robers
Subject: Certificate on old Aruba S2500 switch
You should apply the certificate after importing it. This ASE solution provides the instructions for the full process, and if you select Mobility Access Switch in the step 'Install' the commands to activate the certificate.
The certificate that you showed is not the one from the advisory; it's already a self-signed one.
What's the reason for updating/changing the certificate?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 01, 2024 01:44 AM
From: Zerauskire
Subject: Certificate on old Aruba S2500 switch
Hello,
I need some help. I'm trying to update the certificate on the Aruba S2500. I can't get this to work. I created a self signed certificate and uploaded it. The certificate uploads fine but I cannot get it to work after that. I followed the instructions based on these documents.
http://marketing.arrowecs.dk/resources/1084/My_Documents/Aruba/ArubaOS_Default_Certificate_Revocation_Rev-10909_Sep_2016.pdf
Airheads Community
Airheads Community | remove preview |
|
But when I go to load the GUI after, its still giving me the old certificate.
I used this line exactly as stated:
openssl req -x509 -sha256 -newkey rsa:2048 -keyout self_cert.pem -out self_cert.pem -days 1825
Then I filled out the fields as they were presented. I filled out the CN with switch.mydomain.com and i have a local DNS entry to handle switch.mydomain.com so it's pointed to the Aruba. So when i visit switch.mydomain.com it tries to go to the switch but i still get presented with the old cert even though i uploaded the new self signed one. I have tried rebooting the switch and rebooting my computer. Everything i can think of. Is there something i'm missing for this? Is there something else I should be doing?
I have been able to get around this sort of by just doing a reverse proxy and using Let's Encrypt but I would really like to see if I can get this thing working with a self signed cert if possible. Any suggestions?