SSL VPN Failed to validate server certificate (cannot access https)

Unanswered Question
May 18th, 2012

Hi all,

I have the next problem.

I've configured in an UC520 a SSL VPN.

I can access properly and I can see the labels, but I only can access urls which are http, not https:

I can access the default ip of the uc520 (192.168.1.10) but

When I try to get access to a secure url I get the msg: Failed to validate server certificate

I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080

Does the certificate of both hardware has to be the same?

How can I add a https?

Here is the config of the router:

!

webvpn gateway SDM_WEBVPN_GATEWAY_1

ip address 192.168.1.254 port 443 

ssl trustpoint TP-self-signed-2977472073

inservice

!

webvpn context SDM_WEBVPN_CONTEXT_1

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

url-list "Intranet"

   heading "Corporate Intranet"

   url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"

   url-text "Impresora" url-value "http://192.168.10.100"

   url-text "DMM" url-value "https://pc.sumkio.local:8443"

   url-text "DMM 1" url-value "http://192.168.10.10:8080"

   url-text "UC520" url-value "http://192.168.10.1"

!

!

policy group SDM_WEBVPN_POLICY_1

   url-list "Intranet"

   mask-urls

   svc dns-server primary 192.168.10.250

   svc dns-server secondary 8.8.8.8

default-group-policy SDM_WEBVPN_POLICY_1

aaa authentication list sdm_vpn_xauth_ml_1

gateway SDM_WEBVPN_GATEWAY_1

max-users 10

inservice

!

Any help would be apreciatted.

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
hebaerte Fri, 05/25/2012 - 01:03

Hi Pablo,

you will need to create a trustpoint and import either:

- the server certificate (in this case you need 1 trustpoint per server)

or

- the issuer certificate (e.g. if all your servers have a cert issued by Globalsign, then import the Globalsign signing certificate)

hth

Herbert

p.juarezponte Fri, 05/25/2012 - 01:36

hi,

Thanks for your answer but I don't know how doing that.

I have 3 files, one is .crt, another is .ca and the last is .prv.

All  these are from the UC520.

This certificate is self-signed.

Which file should I export to the Cisco Digital Media Manager?

And how can I do that?

Or should I have to import the CA from the DMM to the Uc520?

I'm really lost

hebaerte Fri, 05/25/2012 - 02:16

Hi Pablo,

you do not need to do anything on the DMM.

On the router, you need to import the DMM server certificate OR the CA certificate of the CA that the DMM received its cert from.

Off the top of my head, you would need something like:

conf t

crypto pki trustpoint DMMCA

  enrollment terminal

  exit

exit

crypto pki authenticate DMMCA

OR

crypto pki import ...

to import the server cert.

(check the options, don't know them by heart)

Sorry for the condensed response - hope to have more time later or next week if you need more help.

H

p.juarezponte Fri, 05/25/2012 - 02:38

Hi, thanks for your advise.

I'm trying to copy the certificate via cut and paste, but I'm getting a

% Error in saving certificate: status = FAIL

I dont know if I'm doing this right.

I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.

I get a file which if I open with notepad is like

-----BEGIN CERTIFICATE-----

MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV

.............

KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g

mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R

nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=

-----END CERTIFICATE-----

If I try to authenticate the trustpoint, I get that error.

how can I export the certificate from the DMM?

I think that this file is not the right file.

and then, do I have to make some changes in

webvpn gateway SDM_WEBVPN_GATEWAY_1?

Should I choose the new trustpoint?

I understand that the old trustpoint is for the outside connection, no for the LAN connection.

Dont worry about me, answer when you can but I really need to fix this.

Thank you so much

hebaerte Fri, 05/25/2012 - 02:51

It sounds like you're doing the right things, the cert format looks good, so not sure why it is saying "

Error in saving certificate:". You may need to use "crypto pki import ..." instead of authenticate.

Would you mind posting the entire cert in PEM format (or send it to me privately - click on my name, then on my profile page click "send private message") ?

Can't promise a response in the next few days though.

H

hebaerte Tue, 06/05/2012 - 13:07

Hi Pablo,

Thanks for sending me the cert. I tried importing it and see the same problem, but when I examine the cert with openssl it seems fine - but then I noticed that it has a very long validity, until the year 2112; I think this is causing the problem.

I found this bug on ASA:

CSCsu27196    ASA should support certificates with dates after Jan 19 2038

but I believe IOS has the same problem, although I cannot immediately find a bug ID for it.

Could you try issuing a new self-signed cert on the DMM server, with a shorter validity, e.g. until 2037 ?

hth

Herbert

heavymichael Fri, 07/19/2013 - 02:17

Hi Herbert

I have read your suggest

you will need to create a trustpoint and import either:

- the server certificate (in this case you need 1 trustpoint per server)

Is that mean we should ask the server owner to get the valid certificate for insert into cisco router 1941?

I have no idea how to get the certificate for gmail if we prefer to access this webmail service through ssl vpn.

Moreover, how can we use that cert in case the valid cert is already insert into the router, becuase the router is already using this

"#crypto pki trustpoint TP-self-signed-3430371784" for client

which command i should use that for the valid certificate?

Actions

Login or Register to take actions

This Discussion

Posted May 18, 2012 at 2:50 AM
Stats:
Replies:8 Avg. Rating:
Views:4055 Votes:0
Shares:0

Related Content

Discussions Leaderboard