Wireless Access

Just updated a controller from 6.5 to 8.6.  Configuration was cleared as part of the update. This is lab work and not production.  I have two 7010 controllers. Both were configured about the same before, differences were mostly certificates. 

The first 7010 loaded the configuration with no issues.  The second gave me an error on the uploading of the certificate.  I am uploading a PKCS12 file.  A capture of the error is attached.  Ran the following:

(azar) [mynode] #show crypto-local pki ServerCert

Certificates
------------
Name Original Filename Reference Count Expired
-------------- ----------------- --------------- -------
(azar) [mynode] #

I know I can try to upload with a different name.  For me that's an issue since I am using a template configuration and customers are instructed to name the certificates what I tell them to call them in order for things to work.  My thoughts are that there is an errant file.   One with the same time and the code doesn't want it overwritten.  Any ideas?   Thank you.

Try to upload the server certificate again with a different name... (no special characters)

If you want to use a CSR generated on the devices within the MM infrastructure, be aware the the private key gets generated at the time the CSR was created and gets saved on the device.

Here are the steps to get a server certificate on a given MD:

1. Login to the MM and navigate to the MD device folder in the hierarchy

2. Go to Configuration > System > Certificates

3. Create a CSR destined to that MD

4. Copy and paste the CSR into a file and upload it to your Certificate Authority

5. Once you have a signed certificate, import it to the MM while in the same device hierarchy.

6. Once you apply the changes, the certificate will show up on the MD.

Another way is to create a CSR outside the Aruba infrastructure and combine the private key with the signed cert into the same PEM file, or as a PKCCS12/PFX binary format and upload to the appropriate MD.

Read more here:

https://community.arubanetworks.com/t5/Wireless-Access/Installing-Certificates-on-MD-with-ArubaOS-8/td-p/493027

Thank you for your response.  I was looking at that link myself this morning.  I believe I do understand how to generate a CSR and do the upload.  That could be helpful, however, I am using a scripted method to generate the key and the identity certificate.  The script also generates a configuration.   I know do the keying manually will work.  The method used to key using scripts would then be broken. 

I know that using a different name for the certificate will work.  Already tried that.  The problem is my scripted method is using the name it uses.  I can certainly change the name in the script.  But then what happens when I get the error again with the new name? 

The tale of two controllers.  Both running the same 6.5.4.13 Code.  Both configured almost the same.  Both taken out of the box at the same time.  Both upgraded to 8.6.0.5 software and configuration cleared.  One likes the certificates with their chosen name and the other doesn't. 

Wouldn't it have to be a file somewhere on the device that the controller doesn't like because the names match?  What is that file and how does one clear it?  Remember I am not in production so I have no problem clearing the whole of the configuration from the device.  Just need a solution.  Because if I am having this problem, then others who rely on my scripts will also someday have the same problem.  And again, thank you for your response. 

Additional information:

(azar) ^[mynode] #show crypto pki serverCert

Certificates of All Nodes
-------------------------
Name Expired
-------------- -------
aruba_ec No
(azar) ^[mynode] #

There it is.  I haven't uploaded it successfully, but it shows up.  See attached for GUI output.

Tried this:

(azar) [mynode] (config) #no crypto-local pki ServerCert aruba_ec
Error cert name aruba_ec not Present

(azar) [mynode] (config) #cd ..
(azar) [mm] (config) #cd /mm

(azar) [mm] (config) #no crypto-local pki ServerCert aruba_ec
Error cert name aruba_ec not Present

(azar) [mynode] #show crypto pki serverCert

Certificates of All Nodes
-------------------------
Name Expired
-------------- -------
aruba_ec No

Figured it out.  For whatever reason the file system was still showing the cert, but it could be seen in the GUI or be used command line.  You certainly could add a new cert with a new name, but not the name we wanted.

Whoever was the developer at Aruba should be given a medal. The Medal winner would be the one who came up with the "WIPE OUT" command.  I like it.  Used the command the we are now good. 

"wipe out flash" is the command that fixed everything.

The bad is you loose your configuration and your licenses.  For me all easily recoverable.  So success. Attached is a console log. 

(Aruba7010_56_EC_62) [mynode] #show crypto pki serverCert

Certificates of All Nodes
-------------------------
Name Expired
-------------- -------
(Aruba7010_56_EC_62) [mynode] #

Stick a fork it in, we are done. 

Attachment(s)

console.txt   3 KB 1 version