cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
901
Views
0
Helpful
7
Replies

ACS 3.3 invalid or corrupt SSL cert installed

niesommer
Level 1
Level 1

Hi,

I've installed a new SSL certificate to replace the old one which was about to expire. After this cert update I can no longer access the ACS server for admin purposes. I get the error "Can not establish cifered connection because the certificate presented by <servername> is invalid or corrupt. Error code: -8101" or something similar as the message is in spanish.

I've tried to restart the CSAdmin service without success. I've also looked ath the different CS tools but none of them addresses this nor does the ACS User Guide.

Is there a way to remove the certificate from the command line or other?

Ay help would be appreciated as I don't want to reinstall/rebuild the server.

Thanks,

Niels

1 Accepted Solution

Accepted Solutions

Jagdeep Gambhir
Level 10
Level 10

If the acs is 3.3.4 or below then it can be disabled via registry . 4.x dont have any registry settings to tweak.

For 4.x

One possible workaround available to us is that if a Backup of acs taken previous to enabling the HTTPS is there , we can restore the same and get around the issue.

For 3.3.x

To restore access using http to your server, you will need to change the registry setting

to disable https. Here is the location to the reg key:

HKEY_LOCAL_MACHINE \SOFTWARE \Cisco \CiscoAAAv3.2 \CSAdmin \Config \HTTPSSupport

Change this value from 2 to 1.

Regards,

~JG

Do rate helpful posts

View solution in original post

7 Replies 7

vkapoor5
Level 5
Level 5

This chapter addresses authentication and certification features found in the System Configuration section of Cisco Secure ACS Solution Engine.

http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/user/guide/sau.html

Jagdeep Gambhir
Level 10
Level 10

If the acs is 3.3.4 or below then it can be disabled via registry . 4.x dont have any registry settings to tweak.

For 4.x

One possible workaround available to us is that if a Backup of acs taken previous to enabling the HTTPS is there , we can restore the same and get around the issue.

For 3.3.x

To restore access using http to your server, you will need to change the registry setting

to disable https. Here is the location to the reg key:

HKEY_LOCAL_MACHINE \SOFTWARE \Cisco \CiscoAAAv3.2 \CSAdmin \Config \HTTPSSupport

Change this value from 2 to 1.

Regards,

~JG

Do rate helpful posts

JG, I will try this asap, and let you know. Thanks for this. The version is 3.3.4b14? tha last supported patched version.

Cheers,

Niels

Thanks JG!! After changing the value and restarting the CSAdmin service I finally got access to the ACS app.

Cheers,

Niels

DWAM_2
Level 3
Level 3

Hello,

I've got the same behaviour on appliance (version 4).

Do I need to reinstall all configuration on ACS ?

Thanks in advance.

Regards.

On 3.3 I didn't have to reinstall any configuration. What the Registry value change does is simply remove the SSL session encryption and that leaves the HTTP available. Once restarted the CSAdmin service I could connect using HTTP and then install a new cert, configure the cert trust list and re-enable the HTTPS admin session option.

I would assume that being version 4 and an appliance makes no difference. This is ONLY an assumption, you should check this out in your lab before trying it on a production environment system.

Make sure that you configure the Cert Trust List before enabling the HTTPS feature.

Cheers,

Niels

Hello Niels,

the difference is that on appliance, there is no way to access to registry. So I can not change the value to deactivate the ssh and i can't access to configuration trought https or http.

Best regards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: