Wireless Access

 View Only
Expand all | Collapse all

One cluster member still using default cert as web server cert

This thread has been viewed 8 times
  • 1.  One cluster member still using default cert as web server cert

    Posted Jun 15, 2023 01:08 PM

    Hello,

    AOS 8.10.0.5

    MCR and standby MCR

    cluster of 10 7240XMs

    back-up cluster of 4 7240XMs

    We changed our SSL cert (wildcard) for our controllers today (from last year's wildcard, same CN). The process was a little convoluted as it looks like last year we had imported the cert individually to each cluster member (which showed as an override). I wanted to just import the new cert at Managed Network level and not individually configure each box to use it. Initially for the first controller I changed the servercert to default, with the plan to change it back to the real cert from the managed network level. However for the rest of the controllers I realised removing the override was easy and worked fine so did not do this for them. 

    So the other controllers are all fine and are using the right cert which is configured at the Managed Network level. But the one controller I mucked around with stubbornly refuses to use the new cert. There are no overrides in place for it, the config looks fine when viewing from the Conductor for that controller. But when connecting to the GUI it shows it is still dishing up the default self-signed cert. How can we force it to use the new, non-default cert? I have tried removing the new cert and re-adding it at managed network level with a different name (and filename) but although there are no errors when propagating the config nothing changes for this one controller.

    On the controller itself it has the correct cert imported:

    (md-1) *#show crypto-local pki serverCert

    Certificates
    ------------
    Name            Original Filename   Reference Count  Expired
    --------------  -----------------   ---------------  -------
    AOS2023         aosnew2023.p12      2                No
    AOSold2022      AOSwild2022OLD.p12  0                No
    (md-1) *#show web-server profile

    Web Server Configuration
    ------------------------
    Parameter                                          Value
    ---------                                          -----
    Cipher Suite Strength                              high
    SSL/TLS Protocol Config                            tlsv1.2
    Switch Certificate                                 default
    Captive Portal Certificate                         AOS2023
    IDP Certificate                                    AOS2023

    But the switch Cert still shows as default.

    Guy



  • 2.  RE: One cluster member still using default cert as web server cert

    Posted Jun 15, 2023 01:17 PM
    Edited by cauliflower Jun 15, 2023 01:17 PM

    Of course almost immediately after posting this I managed to fix it!

    For the record I went to the individual box level in the GUI, changed the switch cert in the 'web-server profile' (which was already set as being the new cert) to be last year's cert (which hasn't expired yet), & saved that. It successfully then switched to using that cert from the default. I then removed that override from the box level and it successfully picked up this year's cert config from the Managed Network level.