Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11925
Views
30
Helpful
10
Replies

ACS 5.5 secondary registration - Registration failed due to Invalid Certificate

Go to solution
russell_parker
Level 1
Level 1

‎03-25-2014 02:17 AM - edited ‎03-10-2019 09:34 PM

 
2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎03-26-2014 07:44 AM

When you enable Trust Communication on your primary and secondary ACS instance, and you register the secondary instance with the primary, both the primary and secondary instance check the CA and server certificates of each other. After the certificates are verified:
If the certificates in both the primary and secondary ACS instances are valid certificates, the instances establish a secure tunnel between them and register the secondary instance to the primary.
 
I don't think it supports self-signed certificate however you can try installing the self-signed certificate of Primary in the secondary instance CA store and self signed certificate of secondary in the primary instance CA store.
 
For more information on this feature please read it here: Trust communication in distributed deployment
 
Regards,
Jatin Katyal
*Do rate helpful posts*
 
~Jatin

View solution in original post

10 Replies 10

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎03-25-2014 10:33 PM

Hi,

do you have correct time configured on both servers?

If not, configure correct time then try generate new SSC and try again.


HTH

 

Amjad

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
russell_parker
Level 1
Level 1
In response to Amjad Abdullah

‎03-26-2014 07:52 AM

Hi Amjad,

NTP is correctly configured on both systems, both receiving the time from the same source.

 

Rgds

 

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎03-26-2014 07:44 AM

When you enable Trust Communication on your primary and secondary ACS instance, and you register the secondary instance with the primary, both the primary and secondary instance check the CA and server certificates of each other. After the certificates are verified:
If the certificates in both the primary and secondary ACS instances are valid certificates, the instances establish a secure tunnel between them and register the secondary instance to the primary.
 
I don't think it supports self-signed certificate however you can try installing the self-signed certificate of Primary in the secondary instance CA store and self signed certificate of secondary in the primary instance CA store.
 
For more information on this feature please read it here: Trust communication in distributed deployment
 
Regards,
Jatin Katyal
*Do rate helpful posts*
 
~Jatin

Go to solution
russell_parker
Level 1
Level 1
In response to Jatin Katyal

‎03-26-2014 07:56 AM

Hi Jatin,

That is what I was becoming to believe.

To get around the problem, I turned off the Trust Communications on both systems and this then worked.

I may re-visit the Trust at some later date.

I take your point about self-signed certificates as this is probably not trusted by the systems by its very nature.

 

Many thanks for your help

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to russell_parker

‎03-26-2014 08:04 AM

that's right...when you turn off the trust, the cert's will not come in picture and you can resgister the nodes without having a secure tunnel. Let me know if you need more help on this.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~Jatin
0 Helpful

Go to solution
Cameron Birky
Level 1
Level 1
In response to Jatin Katyal

‎10-16-2014 04:01 PM

I have geotrust certs on the primary node and on the new secondary node I am trying to add.  do you know why would I still get this error?

0 Helpful

Go to solution
mstefanka
Level 1
Level 1
In response to Jatin Katyal

‎09-28-2017 04:53 AM

even with Trust OFF, you have secured comunication between nodes (perhaps using self-signed cert). However your node will trust any certificate for communication (security risk).

 

0 Helpful

Go to solution
ahn-david
Level 1
Level 1
In response to russell_parker

‎07-01-2014 07:49 PM

How do I turn off the trust communications? I've run into the same issue while trying to register a secondary.

Cheers,

 

David

Go to solution
ahn-david
Level 1
Level 1
In response to ahn-david

‎07-01-2014 07:51 PM

ignore that...found it

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to ahn-david

‎07-01-2014 08:39 PM

Step 1 Choose System Administration > Configuration > Global System Options > Trust Communication Settings.

Step 2 Un-Check the Enable Nodes Trust Communication check box.

Step 3 Click Submit.

 

Regards,

Jatin

~Jatin
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents