ACS 3.3 invalid or corrupt SSL cert installed

Answered Question
Feb 11th, 2008

Hi,

I've installed a new SSL certificate to replace the old one which was about to expire. After this cert update I can no longer access the ACS server for admin purposes. I get the error "Can not establish cifered connection because the certificate presented by <servername> is invalid or corrupt. Error code: -8101" or something similar as the message is in spanish.

I've tried to restart the CSAdmin service without success. I've also looked ath the different CS tools but none of them addresses this nor does the ACS User Guide.

Is there a way to remove the certificate from the command line or other?

Ay help would be appreciated as I don't want to reinstall/rebuild the server.

Thanks,

Niels

I have this problem too.
0 votes
Correct Answer by Jagdeep Gambhir about 8 years 9 months ago

If the acs is 3.3.4 or below then it can be disabled via registry . 4.x dont have any registry settings to tweak.

For 4.x

One possible workaround available to us is that if a Backup of acs taken previous to enabling the HTTPS is there , we can restore the same and get around the issue.

For 3.3.x

To restore access using http to your server, you will need to change the registry setting

to disable https. Here is the location to the reg key:

HKEY_LOCAL_MACHINE \SOFTWARE \Cisco \CiscoAAAv3.2 \CSAdmin \Config \HTTPSSupport

Change this value from 2 to 1.

Regards,

~JG

Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Fri, 02/15/2008 - 06:39

If the acs is 3.3.4 or below then it can be disabled via registry . 4.x dont have any registry settings to tweak.

For 4.x

One possible workaround available to us is that if a Backup of acs taken previous to enabling the HTTPS is there , we can restore the same and get around the issue.

For 3.3.x

To restore access using http to your server, you will need to change the registry setting

to disable https. Here is the location to the reg key:

HKEY_LOCAL_MACHINE \SOFTWARE \Cisco \CiscoAAAv3.2 \CSAdmin \Config \HTTPSSupport

Change this value from 2 to 1.

Regards,

~JG

Do rate helpful posts

niesommer Wed, 02/20/2008 - 06:20

JG, I will try this asap, and let you know. Thanks for this. The version is 3.3.4b14? tha last supported patched version.

Cheers,

Niels

niesommer Fri, 02/22/2008 - 05:42

Thanks JG!! After changing the value and restarting the CSAdmin service I finally got access to the ACS app.

Cheers,

Niels

DWAM_2 Tue, 03/25/2008 - 01:34

Hello,

I've got the same behaviour on appliance (version 4).

Do I need to reinstall all configuration on ACS ?

Thanks in advance.

Regards.

niesommer Tue, 03/25/2008 - 02:26

On 3.3 I didn't have to reinstall any configuration. What the Registry value change does is simply remove the SSL session encryption and that leaves the HTTP available. Once restarted the CSAdmin service I could connect using HTTP and then install a new cert, configure the cert trust list and re-enable the HTTPS admin session option.

I would assume that being version 4 and an appliance makes no difference. This is ONLY an assumption, you should check this out in your lab before trying it on a production environment system.

Make sure that you configure the Cert Trust List before enabling the HTTPS feature.

Cheers,

Niels

DWAM_2 Tue, 03/25/2008 - 03:42

Hello Niels,

the difference is that on appliance, there is no way to access to registry. So I can not change the value to deactivate the ssh and i can't access to configuration trought https or http.

Best regards.

Actions

This Discussion