Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 3.3 invalid or corrupt SSL cert installed

Hi,

I've installed a new SSL certificate to replace the old one which was about to expire. After this cert update I can no longer access the ACS server for admin purposes. I get the error "Can not establish cifered connection because the certificate presented by <servername> is invalid or corrupt. Error code: -8101" or something similar as the message is in spanish.

I've tried to restart the CSAdmin service without success. I've also looked ath the different CS tools but none of them addresses this nor does the ACS User Guide.

Is there a way to remove the certificate from the command line or other?

Ay help would be appreciated as I don't want to reinstall/rebuild the server.

Thanks,

Niels

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACS 3.3 invalid or corrupt SSL cert installed

If the acs is 3.3.4 or below then it can be disabled via registry . 4.x dont have any registry settings to tweak.

For 4.x

One possible workaround available to us is that if a Backup of acs taken previous to enabling the HTTPS is there , we can restore the same and get around the issue.

For 3.3.x

To restore access using http to your server, you will need to change the registry setting

to disable https. Here is the location to the reg key:

HKEY_LOCAL_MACHINE \SOFTWARE \Cisco \CiscoAAAv3.2 \CSAdmin \Config \HTTPSSupport

Change this value from 2 to 1.

Regards,

~JG

Do rate helpful posts

7 REPLIES
Bronze

Re: ACS 3.3 invalid or corrupt SSL cert installed

This chapter addresses authentication and certification features found in the System Configuration section of Cisco Secure ACS Solution Engine.

http://cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/user/guide/sau.html

Re: ACS 3.3 invalid or corrupt SSL cert installed

If the acs is 3.3.4 or below then it can be disabled via registry . 4.x dont have any registry settings to tweak.

For 4.x

One possible workaround available to us is that if a Backup of acs taken previous to enabling the HTTPS is there , we can restore the same and get around the issue.

For 3.3.x

To restore access using http to your server, you will need to change the registry setting

to disable https. Here is the location to the reg key:

HKEY_LOCAL_MACHINE \SOFTWARE \Cisco \CiscoAAAv3.2 \CSAdmin \Config \HTTPSSupport

Change this value from 2 to 1.

Regards,

~JG

Do rate helpful posts

New Member

Re: ACS 3.3 invalid or corrupt SSL cert installed

JG, I will try this asap, and let you know. Thanks for this. The version is 3.3.4b14? tha last supported patched version.

Cheers,

Niels

New Member

Re: ACS 3.3 invalid or corrupt SSL cert installed

Thanks JG!! After changing the value and restarting the CSAdmin service I finally got access to the ACS app.

Cheers,

Niels

New Member

Re: ACS 3.3 invalid or corrupt SSL cert installed

Hello,

I've got the same behaviour on appliance (version 4).

Do I need to reinstall all configuration on ACS ?

Thanks in advance.

Regards.

New Member

Re: ACS 3.3 invalid or corrupt SSL cert installed

On 3.3 I didn't have to reinstall any configuration. What the Registry value change does is simply remove the SSL session encryption and that leaves the HTTP available. Once restarted the CSAdmin service I could connect using HTTP and then install a new cert, configure the cert trust list and re-enable the HTTPS admin session option.

I would assume that being version 4 and an appliance makes no difference. This is ONLY an assumption, you should check this out in your lab before trying it on a production environment system.

Make sure that you configure the Cert Trust List before enabling the HTTPS feature.

Cheers,

Niels

New Member

Re: ACS 3.3 invalid or corrupt SSL cert installed

Hello Niels,

the difference is that on appliance, there is no way to access to registry. So I can not change the value to deactivate the ssh and i can't access to configuration trought https or http.

Best regards.

356
Views
0
Helpful
7
Replies