Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ACS 5.4 - invalid management certificate, GUI is not accessible

Hello all,

by my fault, I've set invalid management certificate. So, the GUI became unaccessible right after reboot of the mgmt service.

Mozila Firefox is reporting "Certificate type not approved for application (Error code: sec_error_inadequate_cert_type)"

IE tells "IE cannot display the webpage"

(both browsers asked for security exception because of new cert)

I went to acs-config mode and tried to reset the certificate by "reset-management-interface-certificate" command, but it failed:

Resetting ACS Management Interface Certificate...

Failed to Reset Management Interface Certificate.

See the logs for more details.

==> /opt/CSCOacs/logs/acsRuntime.log <==

PKILogic,04/03/2014,18:06:09:474,ERROR,3081878416,cntx=0000000460,PKILogic::onGenerateSelfSignedCertificateEx2Request: MD5 digest is not supported,PKILogic.cpp:359

Then I tried "acs restore", but it didn't solve the problem neither, invalid certificate is still there  :-(

Any idea how to solve it?

Thanks

P.S.: the version is: 5.4.0.46.5

Everyone's tags (2)
4 REPLIES
Cisco Employee

ACS 5.4 - invalid management certificate, GUI is not accessible

Try this:

reset-management-interface-certificate

To reset the management interface certificate to a default self-signed certificate, use the reset-management-interface-certificate command in the ACS Configuration mode. Only the super admin and system admin can run this command.

Command Reference:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/command/reference/cli/cli_app_a.html#wp2063454

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin Katyal
Community Member

ACS 5.4 - invalid management certificate, GUI is not accessible

Hi Jatin,

I actually did that, but it failed:

Resetting ACS Management Interface Certificate...

Failed to Reset Management Interface Certificate.

See the logs for more details.

(The log is attached in my initial post)

Thanks for your reply.

Community Member

Hi, I am unable to to log

Hi, I am unable to to log onto my GUI even though I successfully ran reset-management-interface-certificate command in the ACS Configuration mode twice. In acsRuntime.log I have errors like :

When I manually created a certificate

ERROR PKILogic::onGenerateSelfSignedCertificateEx2Request:Generation failed ; error=Invalid certificate subject DN length,PKILogic.cpp:378Eap, 07/03/2014 18:05:165,WARN ,3010931616,NIL-CONTEXT,configureCTL = Failed to initializeCTL,EapConfigObjectBase.cpp:335

When I ran the reset certificate CLI command

ERROR, 3056110496,NIL-CONTEXT,DeviceAttrFactory::createAttrValue with marker = " .DeviceAttrFactory.cpp:29 Shellprofile, 07/03/2014

 

When I attempt to use the GUI.... ERROR,2954697632,onException - reason activemq::to::SocketInputStream::read - The connection is broken; state connected; stack trace: activemq::io::SocketInputStream::read - The connection is broken

 

Will a restore help?

Community Member

Hi Stuart,that's good point,

Hi Stuart,

that's good point, the "restore" maybe could solve it, but I haven't made full backup before :-(

And "acs restore" didn't fix the problem for me.

I had to re-install the ACS at the end:

1) application remove acs
2) application install ACS_5.4.0.46.0a.tar.gz "repository"    (tftp repository doesn't work)
3) acs patch install 5-4-0-46-6.tar.gpg repository "repository"
4) acs restore backup.tar.gpg repository "repository"

Regards

1241
Views
0
Helpful
4
Replies
CreatePlease to create content