Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SPA122 1.3.2(014) HTTPS ssl cert profile problem

Hello,

I have a problem since upgrading SPA122 from 1.3.1(003) to 1.3.2(014). The profile rule is using https to get the config files every 1 hour or so

this was never a problem: the rule is a FQDN, the SPA does DNS lookup gets the IP and asks the web server for the config file. both 1.3.1 and 1.3.2 do ask the file with the resolved IP address rather then the FQDN.

now the web server has a valid certificate for that FQDN, but as the SPA122 is asking the file with the IP address the cert is not valid (CN Incorrect: CN is wildcard *.domain.com and IP address is not the FQDN)

in 1.3.1 the SPA didn't seem to care too much , got the file and provisioned, the 1.3.2 nos gives error and sais cert err!

I changed the FQDN for security reasons: here is what the log of the SPA says: prule is https://FQDN:9192

Nov 15 14:37:13 Y.Y.Y.Y SCAPC_init(): provision_enable=1 prule=https://ruxxx1.axxxxxxxxxxs.com:9192/xm-$MA.ipr tftp=192.168.1.3

but here is what the SPA asks then:

Nov 15 14:40:43 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Requesting resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr

Nov 15 14:40:43 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Requesting resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr

Nov 15 14:40:43 Y.Y.Y.Y FMM >>>> Requesting profile

Nov 15 14:40:43 Y.Y.Y.Y ssl cert err 20

Nov 15 14:40:43 Y.Y.Y.Y create ssl connection failed

Nov 15 14:40:43 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Resync failed: https_get failed

Nov 15 14:40:43 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Resync failed: https_get failed

Nov 15 14:40:43 Y.Y.Y.Y FMM >>>> Failed profile

while in 1.3.1 it got it fine:

Nov 15 14:36:42 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Requesting resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr

Nov 15 14:36:42 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Requesting resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr

Nov 15 14:36:42 Y.Y.Y.Y FMM >>>> Requesting profile

Nov 15 14:36:44 Y.Y.Y.Y ok=20

Nov 15 14:36:44 Y.Y.Y.Y content len (hdr) =21056"

Nov 15 14:36:44 Y.Y.Y.Y content len (pld) =21056

Nov 15 14:36:44 Y.Y.Y.Y response code =200

Nov 15 14:36:44 Y.Y.Y.Y [FPRV] Upgrade status flags cleared

Nov 15 14:36:44 Y.Y.Y.Y [FPRV] Upgrade status flags cleared

Nov 15 14:36:44 Y.Y.Y.Y Firmware downgrade limit()

Nov 15 14:36:44 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Successful resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr

Nov 15 14:36:44 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Successful resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr

Nov 15 14:36:44 Y.Y.Y.Y FMM >>>> Successful profile

IS this a BUG??:

- Shouldn't the SPA do the https GET with the FQDN rather then the IP address?

- Is this because the certificate is a wildcard?

- the cert is from GEOTrust (RapidSSL), should be trusted

Thanks

Sven

3 REPLIES
VIP Gold

SPA122 1.3.2(014) HTTPS ssl cert profile problem

- the cert is from GEOTrust (RapidSSL), should be trusted

Definitely no. Why you think RapidSSL certificate should be trusted ?

If you are going to configure device in factory default state, then you need to have certificate issued by CA trusted by your device. Or you can add certificate of your preferred CA to device by hand, then you can use certificate issued by such CA as well (but not after reset to factory default).

New Member

I have the same issue and I

I have the same issue and I had also noticed that the SPA turns the provisioning server URL into IP address in it's requests. I'm pretty sure my server doesn't like that. I also get the SSL error. Verisign/Symantec certificate.

VIP Gold

Same issue, same response.

Same issue, same response. You misidentified the problem cause.

The true cause is - Verisign is not CA trusted by your device.  You shall use certificate issued by trusted authority if you are wishing for success.

 

1169
Views
0
Helpful
3
Replies
CreatePlease login to create content