Wireless Access

I have a 3400 pair of controllers in HA.  I am trying to install my known CA issued server cert and I'm running into some issues.

 

Note: based on some of my other installs on standalone controllers, I have appended the intermediate cert and the root CA to the server cert and also uploaded the intermediate and root CA to the controller individually.  This was required to make things work before on other controllers.

 

Once everything was uploaded, I went to admin > general and chose my new cert in the drop down for captive portal.  The webserver restarted and everything was good, but the captive portal is still serving the securelogin.arubanetworks.com cert.

 

I went to the standby node and noticed that the certs weren't there.  I tried to upload the server cert there, but I get this:

 

Error Uploading Certificate: Cert missing private key and failed to find a key generated from a CSR request in the system to match it

 

The same cert uploaded fine on the primary box.

 

Can anyone point me in the right direction to correct this?

 

Thanks!

 

Did you create the CSR on the primary box?

Edit: WAIT - sorry, yest I did.  It was months ago and the guy who buys our certs just finally sent the cert.

Can I use the same cert on the second box, or do I need to do a new CSR and get a new cert?

Use the same cert on each box. Use something generic as the CN, like network-login.domain.xyz. You'll need to do the CSR on an external box, then export the public key with the private key. You can then import it to each controller.

The name is good since we're using the hostname of the VIP and that's where captive portal redirects the users when either node is active.

No, you cannot export the private key from the controller. Also, just an FYI, the name of the cert does not need to match a DNS entry for the controller captive portal.

Sorry - yeah, I know it doesn't need to be the hostname since it just pulls the name from the cert for the redirect.

 

Back to the original question though - if I do a CSR off box and put the cert on both devices, will that solve the problem of the cert not being used for captive portal?

No. You can't pull the private key off a controller. You need to generate the cert on another box that allows export.

Thanks.

 

I'm still curious as to the answer to my original question.  I've put the cert on the main/active controller and set it to be used for captive portal, but it is still not being used.  Is this because I don't have the same cert on the inactive controller?  Or could it be something else?

 

I'm getting the cert reissued now with a CSR that was generated from somewhere else so it can be applied to both controllers, but should that resolve the problem of the captive portal not using the known CA cert I installed?  Or is there another issue?  It seems like since the active node has the cert, it should work now even though I don't have the same cert on the other node yet.

So you have a p12/pfx file with the public and private keys?

You need to do the CSR external (digicert tool, open SSH, etc) to the controller, then export it with private key, then import to each controller.

Is there no way to copy the CSR from the primary box to the other node via command line or anything?