Community Feedback

 View Only
last person joined: 3 days ago 

How is the community doing? Do you have any questions or feedback related for the Airheads Community team? This is the place to let us know.
Expand all | Collapse all

Certificate on old Aruba S2500 switch

This thread has been viewed 23 times
  • 1.  Certificate on old Aruba S2500 switch

    Posted May 01, 2024 12:29 PM

    Hello,

    I need some help. I'm trying to update the certificate on the Aruba S2500. I can't get this to work. I created a self signed certificate and uploaded it. The certificate uploads fine but I cannot get it to work after that. I followed the instructions based on these documents.

    http://marketing.arrowecs.dk/resources/1084/My_Documents/Aruba/ArubaOS_Default_Certificate_Revocation_Rev-10909_Sep_2016.pdf

    Arrowecs remove preview
    View this on Arrowecs >


    Airheads Community

    Airheads Community remove preview
    Airheads Community
    View the selected document's details
    View this on Airheads Community >

    But when I go to load the GUI after, its still giving me the old certificate.

    I used this line exactly as stated:

    openssl req -x509 -sha256 -newkey rsa:2048 -keyout self_cert.pem -out self_cert.pem -days 1825

    Then I filled out the fields as they were presented. I filled out the CN with switch.mydomain.com and i have a local DNS entry to handle switch.mydomain.com so it's pointed to the Aruba. So when i visit switch.mydomain.com it tries to go to the switch but i still get presented with the old cert even though i uploaded the new self signed one. I have tried rebooting the switch and rebooting my computer. Everything i can think of. Is there something i'm missing for this? Is there something else I should be doing?

    I have been able to get around this sort of by just doing a reverse proxy and using Let's Encrypt but I would really like to see if I can get this thing working with a self signed cert if possible. Any suggestions?



  • 2.  RE: Certificate on old Aruba S2500 switch

    Posted May 02, 2024 07:35 AM

    You should apply the certificate after importing it. This ASE solution provides the instructions for the full process, and if you select Mobility Access Switch in the step 'Install' the commands to activate the certificate.

    The certificate that you showed is not the one from the advisory; it's already a self-signed one.

    What's the reason for updating/changing the certificate?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Certificate on old Aruba S2500 switch

    Posted May 02, 2024 10:11 AM

    I have since resolved this issue via the CLI but I'll provide responses to your statements below.

    "You should apply the certificate after importing it. This ASE solution provides the instructions for the full process, and if you select Mobility Access Switch in the step 'Install' the commands to activate the certificate."

    So I apologize for my ignorance here but I'm not entirely clear on what you mean when you say "select Mobility Access Switch in the step 'Install'". The only guide I'm aware of is the one I provided the link to and that isn't mentioned from what I see. 

    Here's the thing though... The Aruba S2500 can't run any firmware past "ArubaOS_MAS_7.4.1.12_72393" which doesn't seem to have the option in the GUI referenced in Step 3 of the guide I provided the link to. The guide states in Step 3 that you should apply the cert now that you've uploaded it by going under "Management > General" but that option doesn't exist in the GUI of the S2500. At least not that I can find. See image below.

    The solution for me to apply the cert was that I had to actually go in to the CLI and apply it that way because that option does not exist in the GUI as far as I can tell. So i just had to drop in to conf t then run:

    web-server
    switch-cert <cert_name>
    write memory

    That was able to resolve that issue for me.

    "The certificate that you showed is not the one from the advisory; it's already a self-signed one.

    What's the reason for updating/changing the certificate?"

    One would think by looking at it that this was accurate. It looks like a perfectly good certificate that wouldn't have any issues but that's not the case. For some reason Chrome, Edge, Chromium, and multiple other browsers have issues with this certificate and will not allow you to access the GUI because of it. They will just give you the error "ERR_SSL_KEY_USAGE_INCOMPATIBLE" and prevent you from going any further. The only way you can access the GUI of the S2500 is to do 1 of 3 things

    1. Use a browser that warns about this certificate but still allows you to proceed which would be Firefox.
    2. Replace the certificate with a new self-signed one or a legit signed one.
    3. Use Reverse Proxy with a real certificate and point to the switch.

    This makes setting up the S2500 a bit of a headache if you're not aware of these issues. Once you can get the new self-signed certificate loaded though, you can then use Chrome, Edge, or any other browser. You still get the warning about it being a self-signed certificate but you can acknowledge the warning and still get in.

    In the end my issue is resolved and I'm now able to get in to the GUI with the self-signed cert I generated. That guide I referenced just doesn't seem to apply to the GUI options available in the S2500 running "ArubaOS_MAS_7.4.1.12_72393". I do not have all the options available to me in the GUI that are displayed in the screenshot of "Step 3". There is no "Management > General" option. So it seems for the S2500 unless I'm missing some way to enable more options in the GUI, the only way to apply the cert after uploading it is to go in the the CLI and apply it. 




  • 4.  RE: Certificate on old Aruba S2500 switch

    Posted May 02, 2024 11:10 AM

    I missed to add the link to ASE, but you found the command already to apply the certificate.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Certificate on old Aruba S2500 switch

    Posted 7 days ago

    The reason the original cert on these switches gives that error in modern browsers, is that older certificates do not include ALL of the proper usage types.  There is technically nothing wrong with the certificate as a self-signed cert.  The problem exists because browsers since Chrome 119.x now check (for the sake of security) that certificates include all the necessary usages.

    In Chrome, Edge, etc. the two standard keu usage types are required.

    That said, I also have an aruba S2500 and cannot access the switch from a system with a modern browser/OS to use the GUI.

    I will try your steps that you outlined to try and resolve this.  Thank you for posting.