topic Re: Switch can't connect to HiveManager! Get following message: Peer certificate cannot be authenticated with given CA certifcates. in Aerohive Migrated Content

Switch can't connect to HiveManager! Get following message: Peer certificate cannot be authenticated with given CA certifcates.

benjamin_heravi — Tue, 08 Oct 2019 14:57:08 GMT

I have three SR2224P switches and they fail to get connected to HiveManager. I get the following message when I check the Hivemanager status: "Peer certificate cannot be authenticated with given CA certifcates". What could be the reson?

PS: I updated the HiveAgent to 1.1.19.0 , OS version is 1.0.1.26, have google dns and aerohive sntp is configured (checked time) on all switches but still have the same problem.

Re: Switch can't connect to HiveManager! Get following message: Peer certificate cannot be authenticated with given CA certifcates.

samantha_lynn — Tue, 08 Oct 2019 20:12:44 GMT

Can you tell me if your HiveManager is resolved to a private IPv4 address or a public IPv4 address? I ask because we've seen this issue with HiveManagers resolving to a public address, which is an unsupported design, so we will need to verify that the HiveManager resolves to a private address.

Re: Switch can't connect to HiveManager! Get following message: Peer certificate cannot be authenticated with given CA certifcates.

benjamin_heravi — Tue, 08 Oct 2019 20:29:23 GMT

Our HiveManager is resolved by a public IPv4 address and our customers devices reach HM by redirector & public ip. We have accesspoints connected to these switches at the customer site and they get connected to our HM but not switches.

Re: Switch can't connect to HiveManager! Get following message: Peer certificate cannot be authenticated with given CA certifcates.

samantha_lynn — Tue, 08 Oct 2019 20:37:30 GMT

In Aerohive's current design is there is no support for the HiveManager VA when resolved to a public IPv4 address on a switch in HiveAgent.

This is unsupported because Aerohive's engineering designed this in way which means that a public IPv4 is only functional where HiveAgent is connecting to Aerohive's Cloud HiveManager, explicitly using only the Comodo root that is in use for the Cloud at https://cloud.aerohive.com/

When HiveManager is resolved to a private IPv4 address, a lower level of certificate checking takes place and the self-signed certificate is supported by design. When HiveManager is resolved to a public IPv4 address, a higher level of certificate checks takes place and the self-signed certificate is not supported by design.

If for example, Aerohive changed its root from Comodo to a different one in the future, the deployment might be subject to breaking, it would be fragile and at risk to this. Therefore, there this set up is not supported.

Re: Switch can't connect to HiveManager! Get following message: Peer certificate cannot be authenticated with given CA certifcates.

benjamin_heravi — Sat, 12 Oct 2019 21:37:32 GMT

Thank you Sam!

If i don't misunderstand you, it's not possible to connect the Aerohive Switches to HiveManager NGs (on-premise) public IPv4. Is that right? So how can we manage the Aerohive switches at the customer site? Should we always create a site-to-site tunnel or there is another way?

Re: Switch can't connect to HiveManager! Get following message: Peer certificate cannot be authenticated with given CA certifcates.

samantha_lynn — Mon, 14 Oct 2019 19:59:39 GMT

That is correct, a public IPv4 address will not work. You would want to manage the devices via the HiveManager, and/or a site-to-site tunnel would work as well.