Thanks - ok so on one of the live MDs (which I haven't used my brute force solution on yet) I ran that:
(UWS-MC-A1) *#show configuration effective detail | include wildcard
switch-cert AOSwildcard2021 # inherited from [/mm]
(UWS-MC-A1) *#
Pretty much everything shows as being /mm if I leave the filter off that command.
I ran the below, which doesn't help much but confirms the error.
(UWS-MC-A1) *#show configuration failure
Configuration Failure
---------------------
Command: no crypto-local pki ServerCert AOSwildcard2021
Process: Certificate Manager
Message: Failed to delete instance. Cert is either not present or referencedby an application.
Total Failures: 1
Is there any way I can remove that line from the configuration that is being sent from the MM, or something like that?
------------------------------
Guy Goodrick
------------------------------
Original Message:
Sent: Oct 27, 2021 10:04 AM
From: Colin Joseph
Subject: Failing command in configuration
You should do a "show configuration effective detail" to determine where the reference exists in your hierarchy.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Oct 26, 2021 12:56 PM
From: Guy Goodrick
Subject: Failing command in configuration
AOS 8.7.1.5
10x cluster
7x backup cluster
We have an alert for nearly all of our controllers on our MM which has been there for a while:
We deleted "AOSwildcard21" some time ago. The cert we use now is "AOSwild21". I found that there is still a reference to the old cert in the web-server profile (on all but one of our MCs, strangely), which I assume is the problem. But I can't seem to delete that reference in the web-server profile, or change it so that it references the new cert, this is the profile on one of the boxes:
(UWS-MC-B1) #show web-server profile
Web Server Configuration (Invalid: Error: server certificate "AOSwildcard2021" not found)
-----------------------------------------------------------------------------------------
Parameter Value
--------- -----
Cipher Suite Strength high
SSL/TLS Protocol Config tlsv1.2
Switch Certificate AOSwildcard2021
Captive Portal Certificate AOSwild21
IDP Certificate default
Management user's WebUI access method username/password
User absolute session timeout <30-3600> (seconds) 0
User session timeout <30-3600> (seconds) 180
Maximum supported concurrent clients <25-320> 240
Enable WebUI access on HTTPS port (443) true
Enable bypass captive portal landing page false
Exclude Security Headers from HTTP Response false
VIA client-cert port number 8085
I tried changing the web-server profile at our md/uws level, and at levels below, down to the individual MCs (on the MM). But although it looked like the change was accepted on the MM the config never finds its way to the MC:
(UWS-MM-8A) [mynode] (config) #cd UWS-MC-B2
(UWS-MM-8A) [00:1a:1e:xx:xx:xx] (config) #web-server profile
(UWS-MM-8A) [00:1a:1e:xx:xx:xx] (Web Server Configuration) #switch-cert AOSwild21
(UWS-MM-8A) [00:1a:1e:xx:xx:xx] (Web Server Configuration) #no switch-cert
(UWS-MM-8A) ^[00:1a:1e:xx:xx:xx] (Web Server Configuration) #write mem
Saving Configuration...
Configuration Saved.
(UWS-MM-8A) [00:1a:1e:xx:xx:xx] (Web Server Configuration) #switch-cert AOSwild21
(UWS-MM-8A) ^[00:1a:1e:xx:xx:xx] (Web Server Configuration) #write mem
Saving Configuration...
So I guess the config can't be applied to the boxes because of the existing error.
For one of the MCs I have got around this by entering disaster recovery mode and applying the change there, now on that box I can see that the switch cert is shown as the new cert. But the second MC I tried failed:
(DR-Mode) [mm] (Web Server Configuration) #switch-cert AOSwild21
Error decrementing DS refcount for cert AOSwildcard2021 path /mm
(DR-Mode) [mm] (Web Server Configuration) #no switch-cert
Error decrementing DS refcount for cert AOSwildcard2021 path /mm
So I'm stuck! Can anyone help?
Thank you
Guy
==================== UPDATE ====================
Reloading the boxes in the backup cluster then allowed me to enter disaster-recovery mode and make the change above. But if there is a better way then I would be keen to know what I should do - I haven't fixed our live cluster yet and would prefer not to reload the controllers if possible
------------------------------
Guy Goodrick
------------------------------