Security

Reply
New Contributor

Clearpass License Online Activation fails with 'Client certificate-chain validation failed'

Hello community,

 

We have migarated our Clearpass from a hardware appliance 500 to a virtual Clearpass CP-VA-500 version 6.6.5.93747 . I have created a VM on an ESXi server, did the basic config and restored the backup from the hardware appliance. After that I had to install our public cerificate for the CP portal page. Everything works fine, except when I try to online activate our licenses, I get the Error: 'Client certificate-chain validation failed'.

How can I evaluate which certificat is responsible for this error?

 

Tanks for any hints.

Konrad

 

MVP Guru

Re: Clearpass License Online Activation fails with 'Client certificate-chain validation failed'

You need to contact tac so they deactivate the license on the other box and then it will allow you to activate it on the new one

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor

Re: Clearpass License Online Activation fails with 'Client certificate-chain validation failed'

Hi Victor,

 

Thank you for this hint.

I have already a TAC open for the migration to VM and the license activation on the VM. The licenses on the appliance  are already deactivated by TAC. Because of the certification problem the TAC tries to offline activate the licenes. Thats ok for the first step, but finally I would like to solve the problem at the roots. Maybe someone had a similar problem an may give me a hint.

 

Thanks and greetings from Switzerland

Konrad

MVP Guru

Re: Clearpass License Online Activation fails with 'Client certificate-chain validation failed'

Konrad,

Did you check the clock on the new ClearPass appliance? If it is off (by months) it might be that one of the certs is considered expired or not valid yet.

Another thought, could it be that the https traffic from ClearPass to the internet runs through a proxy that intercepts the SSL traffic (ssl inspection)? That can render the traffic invalid as well.

Working with TAC should give the quickest resolution.

73, Herman

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
New Contributor

Re: Clearpass License Online Activation fails with 'Client certificate-chain validation failed'

Hello, I have the same problems with a new Clearpass 6.7 installation:

Action Status: Client certificate-chain validation failed
Product Name: ClearPass Platform

I have checked time and firewall, the only internet traffic I can see in the firewall is the Clearpass server is trying to connect to external NTP servers, but I have configured internal ones that works, no other traffic to internet. How do I proceed?

Guru Elite

Re: Clearpass License Online Activation fails with 'Client certificate-chain validation failed'

Please work with Aruba TAC.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Clearpass License Online Activation fails with 'Client certificate-chain validation failed'

Hi everyone,

 

Maybe you have solved the problem. If someone has the same issue, try installing these patches, it worked for me:

 

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-license-activation-failure/ta-p/496584

 

Regards,

Julián

Frequent Contributor I

Re: Clearpass License Online Activation fails with 'Client certificate-chain validation failed'

hi,

 

is there a patch for 6.8.x as well? Unfortunately it looks like the lic activation isn't working and exiting with the same error.

 

Action Status: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find certificate chain
Product Name: ClearPass Platform
Network Engineer
ACCX #931 | ACMP
MVP Guru

Re: Clearpass License Online Activation fails with 'Client certificate-chain validation failed'

For license activation related issues, it's best in most cases to call Aruba TAC. Most license activations work without any issue, and if some fail the Aruba TAC needs to know to fix it.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: