Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass: IVConnector generating certificate errors after assigning public certificate to HTTPS

This thread has been viewed 16 times
  • 1.  Clearpass: IVConnector generating certificate errors after assigning public certificate to HTTPS

    Posted Dec 01, 2023 11:26 AM

    Is anyone else seeing weirdness in 6.11.6 where assigning a public certificate to HTTPS causes IVConnector to produce certificate verification errors?

    IVConnector: Could not verify SSL certificates while sending netevents to Netwatch for URL: https://x.x.x.x/netwatch/netevents

    I obfuscated the IP since this is a customer site, but it's weird that IVConnector is using the IP address and not the configured FQDN of the node when sending API requests, if certificate verification is a thing they want to do for Insight.

    I haven't seen this behavior before on other boxes, but this is the first box I've had 6.11.6 on.  It's a little annoying because it fills the event log on the system (events are several times per minute).



  • 2.  RE: Clearpass: IVConnector generating certificate errors after assigning public certificate to HTTPS

    Posted Dec 01, 2023 11:57 AM

    Hi

    Yes, I got the same issue and after a TAC case I got the solution to search for the root certificate of the https certificate in the trust list and disable or delete all but the correct one.

    It turned out that I had two root certificates with the same common name, but with different validity times active and ClearPass can't handle this situation.

    From my knowledge ClearPass can handle two Intermediate CA certificates with the same common name, so I can't understand why the same doesn't work with the root certificates.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Clearpass: IVConnector generating certificate errors after assigning public certificate to HTTPS

    Posted Dec 01, 2023 12:05 PM

    Thanks, will check into that!  It's very possible I uploaded a redundant cert as this was a reimage of 6.10.x to 6.11.x and that process involves a lot of importing and exporting.

     

     

    Daniel Waites

    Post-Sales Engineer

    Sabyr Consulting

    www.sabyr.com

    (409) 454-7250 - cell

     






  • 4.  RE: Clearpass: IVConnector generating certificate errors after assigning public certificate to HTTPS

    Posted Dec 01, 2023 12:10 PM

    I got the error when I did a second restore of the 6.10 backup file to the 6.11 server as we had run some test for a while on 6.11 and I needed the 6.11 instance to be in sync with the latest updates in the 6.10 server before moving the authentication to the 6.11 servers.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Clearpass: IVConnector generating certificate errors after assigning public certificate to HTTPS

    Posted Dec 06, 2023 12:16 PM

    That was exactly it.  There was a change in the issuer's root certificate (extending expiration) between that particular release of 6.10 and 6.11.  It allowed me to import an older root certificate from the old cluster with a duplicate common name (while following the import procedure).  Removing that older certificate corrected the problem.