So that's the thing, the cp takes the new certificate just fine. the ui will not. It's holding on to a certificate two years old! (they're only good for one year) I try to assign the new cert in the web and immediately the browser says "ERR_SSL_VERSION_OR_CIPHER_MISMATCH." The old cert was uploaded on an older firmware, there is no name associated with it. By command line I can neither get it to let go of the old one, assign the new one, or clear it as it's assigned.
UGH! I feel like an idiot.
I've been doing:
pki-cert-assign application ui cert-type server certname Star_22
instead of
pki-cert-assign application ui cert-type server
cert certname Star_22
This does not trigger an error as an invalid or incomplete command. Only until you try to commit apply do you get an error.
This work with the correct command.
Thanks.
EDIT: HOLY GEEZE! CASE MATTERS IN THAT COMMAND! I'm just shocked because I've not run into that before, even with the little *nix work I've done, files yes, commands no.
------------------------------
Stuart Taylor
------------------------------
Original Message:
Sent: May 06, 2022 06:56 PM
From: Ariya Parsamanesh
Subject: Certificate stuck in system.
so if you have already upload the PEM formatted certificate as your captive portal, you can also use it as your UI server cert.
just add it as shown here. remember you can remove the older certificates.
!
wlan cert-assignment-profile
pki-cert-assign application captive-portal cert-type ServerCert certname IAPcert
pki-cert-assign application ui cert-type ServerCert certname IAPcert
!
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
Original Message:
Sent: May 05, 2022 08:24 AM
From: Stuart Taylor
Subject: Certificate stuck in system.
Thanks for the tip!
I admit I do not use the CLI much and was bringing over what I know from CX and older HP OS work. So I tried using commit apply and I get a
Invalid cert_type parameter... If I go to commit either a change of the cert, "pki-cert-assign application ui cert-type server certname Star_22" or removal of cert, "no pki-cert-assign application ui cert-type server" Neither give an error in the config context but trying to save give the mentioned error.
Also I find that if I get out of the config context and use "show uicert" It still shows the old cert that expired in 2021 no matter what I do.
------------------------------
Stuart Taylor
Original Message:
Sent: May 04, 2022 08:49 PM
From: Ariya Parsamanesh
Subject: Certificate stuck in system.
you can do it through CLI but don't use "write mem", Instead use "commit apply"
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
Original Message:
Sent: May 04, 2022 05:15 PM
From: Stuart Taylor
Subject: Certificate stuck in system.
Hello all,
So I've got a certificate stuck in one (maybe more) of my clusters. I've been trying to figure out how to get it out but I just can't do it. The certificate is from two cycles ago now, so it expired in 2021. I've successfully changed my captured portal certificate to the new one - but have not tested it but I cannot do so for the web UI. Every time I try to do it via the web, I get serious issues! The browser immediately tells me it cannot work with the site or it can't agree on ciphers. Sorry I don't remember the exact wording. If I them cluster I can get back in.
I tried via the terminal but nothing I throw at it sticks.
I tried clear-cert all, I cannot because it tells me certs are assigned. It only names the newest cert
I tried assigning the new cert by terminal but it doesn't work:
configwlan cert-assignment-profilepki-cert-assign application ui cert-type server certname Star_22exitexitwrite memory
Or basically the same but "no pki-cert assign application ui cert-type server"
Still uses the very old certificate.
This certificate was put on with an older firmware and it has no name. If I show cert all, it's listed but if I show assigned certs it's not.
Any ideas?
------------------------------
Stuart Taylor
------------------------------