Problem:
Registration of ClearPass to ClearPass Device Insight (CPDI), will fail with error "Failed to verify server certificate(s)".
Screenshot of error message:
During the registration process of ClearPass server to CPDI, registration would fail with the above highlighted error message. This error could occur If the registration is done from the Policy Manager UI to add a cluster or standalone ClearPass server to CPDI.
Common method followed to register:
- Navigate to Policy Manager UI (Publisher if in cluster)→ Administration tab→ Server Manager→ Device Insight)
- Provide 'Registration Token'.
- Adjust different 'Interval' settings if required.
- Click on 'Save' button.
- Accept warning message of disabling discovery methods.
Diagnostics:Note: Details mentioned on this diagnostic section is for reference and Certificate authority and URI can change depending on the version or in the future.
This error is caused due to the certificate of central URL is not trusted by ClearPass server.
During the registering process, ClearPass will attempt to reach to URI https://xxxxxxx.central.arubanetworks.com and negociate the registration process. When establishing the HTTPS communication and to trust the server, ClearPass is presented with a public signed CA. Currently this certificate is signed by COMODO RSA Certificate Authority.
The URI to which ClearPass try to reach, certificate presented by the server and more details of the error is logged in ClearPass Admin logs (Logging level Default). Below is highlights of the logs:
PolicyManagerLogs\tips-admin\tipsAdmin.log.X
[URL discovery]
[ajp-apr-8019-exec-10] INFO com.avenda.tips.admin.client.web.optikSettings.OptikSettingsCentralUtils getActivationURL - Cloud server url discovery URL https://xxx-xxx.central.arubanetworks.com/v1/clusters/hostname/1N
[Certificate Presented]
[ajp-apr-8019-exec-10] INFO com.avenda.tips.utils.communication.TrustedCertStore isTrusted - cert=OU=Domain Control Validated,OU=COMODO SSL Wildcard,CN=*.central.arubanetworks.com presented
[ajp-apr-8019-exec-10] INFO com.avenda.tips.utils.communication.TrustedCertStore isTrusted - cert=C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA presented
[ajp-apr-8019-exec-10] INFO com.avenda.tips.utils.communication.TrustedCertStore isTrusted - cert=C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Certification Authority presented
[ajp-apr-8019-exec-10] INFO com.avenda.tips.utils.communication.TrustedCertStore isTrusted - cert=C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root presented
[Exception error]
[ajp-apr-8019-exec-10] DEBUG com.avenda.tips.admin.client.web.TipsDWRAjaxFilter doFilter - getLocalizedMsg ret Str = optikSettings.msg.certError
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
....
Caused by: optikSettings.msg.certError: Debug Msg = optikSettings.msg.certError Display Message = optikSettings.msg.certErrorcom.avenda.tips.admin.common.TipsValidationException: optikSettings.msg.certError
Once confirmed that the certificate is not trusted due to the above error, checked the status of this certificate in ClearPass trust list section by following the below steps:
- Navigate to Administration→ Certificates→ Trust Lists.
- Filter for the common name as 'COMODO' and verified that matching certificate is not present.
- By default, this certificate is not installed by default and has to be imported manually.
SolutionAfter confirming that this is due to the certificate presented by the 'Central' server, to resolve this issue follow the below Highline steps:
- If certificate entry is not present:
- Navigate to Administration→ Certificates→ Trust Lists.
- Download the attached 'COMODO RSA Certification Authority' certificate (Can be downloaded from COMODO Knowledge base site).
- Click on 'Add' button and choose the downloaded file.
- Select 'Other' and click on 'Add Certificate'.
- Confirm that the certificate is added and selected.
- If certificate is present:
- Confirm that the certificate is enabled.
- Usage is selected for 'Other'.
- Serial number (Binary: 101909084537582093308941363524873193117 and HEX: 4C:AA:F9:CA:DB:63:6F:E0:1F:F7:4E:D8:5B:03:86:9D) matches.
- Confirm that all the certificates in the certificate chain is not expired.
After adding the root of the presented certificate, registration should be successful.
Attachments:central-arubanetworks-com_COMODO_Root_Cert.pem