Controllerless Networks

So my previous boss didn't see any need to replace the default cert in our iAPs, now along with some of you I'm dealing with the fallout related to the cert revocation.

I've got a new Public cert in .pem, and it has been uploaded to replace the default  CA and Server certs with no problem.  When I try to replace the CP Server it uploads correctly, and then I lose access to the WebGUI.

Network still online, I can SSH to the Virtual Controler, and clearing the new CP Server cert returns GUI access....what am I missing here?

Thanks in advance!
SSDD

If you can SSH in, I would type "show log system" to see what is happening.

Yeah, it's been a long day....

Anyway here is the error generated right about when I added the cert:

Sep 22 16:23:11  cli[1590]: <341005> <ERRS> |AP us-chi_il-ap1@10.5.240.71 cli|  failed to parse cp cert

There are also a number of Checksum errors that look like they are across all of the APs in this cluster.  Quick research says that is probably do to the configurations not being the same on all the APs in the cluster?

Sep 22 16:23:13 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.73, slave 45280 vs master 16741, error_cnt 1, recover_sent 0.

Sep 22 16:23:14 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.72, slave 45280 vs master 16741, error_cnt 6, recover_sent 0.

Sep 22 16:23:14 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.74, slave 45280 vs master 16741, error_cnt 3, recover_sent 0.

Sep 22 16:23:18 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.76, slave 45280 vs master 16741, error_cnt 4, recover_sent 0.

Sep 22 16:23:18 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.73, slave 45280 vs master 16741, error_cnt 2, recover_sent 0.

Sep 22 16:23:21 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.75, slave 45280 vs master 16741, error_cnt 1, recover_sent 0.

Sep 22 16:23:24 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.72, slave 45280 vs master 16741, error_cnt 7, recover_sent 0.

Sep 22 16:23:24 cli[1590]: <341289> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Sending full configuration to slave ip = 10.5.240.72, ap config dirty = 0 error cnt = 7

Sep 22 16:23:24 cli[1590]: <341199> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| send_config_init: send config to slave 10.5.240.72, using url 0, auto save disable 0.

Sep 22 16:23:25 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.74, slave 45280 vs master 16741, error_cnt 4, recover_sent 0.

Sep 22 16:23:26 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.75, slave 45280 vs master 16741, error_cnt 2, recover_sent 0.

Sep 22 16:23:28 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.76, slave 45280 vs master 16741, error_cnt 5, recover_sent 0.

Sep 22 16:23:28 cli[1590]: <341132> <WARN> |AP us-chi_il-ap1@10.5.240.71 cli| Check sum error for AP-10.5.240.73, slave 45280 vs master 16741, error_cnt 3, recover_sent 0.

I cannot comment on the checksum errors, but have you tried a different Cert?

You can use selfssl in the Microsoft Resource Kit to generate a Server Certificate:  https://helpforsure.wordpress.com/2011/01/23/howto-create-self-signed-certificate-via-selfssl-utility-included-in-iis-6-reskit-tools%E2%80%8F/ and then import it to the Instant AP to test.

Sorry I didn't follow up on this before, in the end a co-worker worked with Aruba, and the answer was that the chaining (order that the certificates in the .pem) was out of order.  Worked fine for the CA and the Auth server, but it broke the CP.

Anyway, if anyone sees this, check your cert chaining!

SSDD