Q: Why do get this error "awc_init_connection: 2092: Failed to load CA root certificate" in IAP?
A: When the IAP is trying to contact activate, it gets the below error message and unable to establish the http connection to the activate server.
Jan 1 00:02:08 awc[2428]: awc_init_connection: 2004: connecting to device.arubanetworks.com:443
Jan 1 00:02:08 awc[2428]: tcp_connect: 163: recv timeout set to 5
Jan 1 00:02:08 awc[2428]: tcp_connect: 170: send timeout set to 5
Jan 1 00:02:08 awc[2428]: awc_init_connection: 2043: connected to device.arubanetworks.com:443
Jan 1 00:02:08 awc[2428]: awc_init_connection: 2085: Loading local CA certificates
Jan 1 00:02:08 awc[2428]: awc_init_connection: 2092: Failed to load CA root certificate: ASN date error, current date before
Jan 1 00:02:08 awc[2428]: isc_init failed
If the IAP unable to contact NTP server (might be blocked by the firewall) the IAP will have incorrect time as shown below which will be one of the possible reason that the IAP will not be able to establish the connection to the activate server.
Current Time :1970-01-01 00:07:22
IAP# show cert all
Default Server Certificate:
Version :3
Serial Number :01:DA:52
Issuer :/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA
Subject :/serialNumber=lLUge2fRPkWcJe7boLSVdsKOFK8wv3MF/C=US/O=securelogin.arubanetworks.com/OU=GT28470348/OU=See www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R) Premium/CN=securelogin.arubanetworks.com
Issued On :May 11 01:22:10 2011 GMT
Expires On :Aug 11 04:40:59 2017 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits
In order to fix this issue, the IAPs should get valid DNS and should be reachable to ntp server and this is mandatory for the IAP to contact activate.