topic Re: Certificate problems when deploying new 12.8.2.2 OVA in Aerohive Migrated Content

Certificate problems when deploying new 12.8.2.2 OVA

michael_bliss — Mon, 04 Feb 2019 15:10:00 GMT

Ive deployed the 12.8.2.2 OVA to VMWare ESXi 6.7, as Im sure everyone is aware, in 6.7 you cannot pre-configure IP address and Hostname when deploying the OVA any more, this means you get stuck with a DHCP address and "hivemanager-ng.aerohive.com" as the hostname.

Ive tried changing these details via the HMVA Management portal, and while it does change the IP and Hostname, it doesnt seem to change the certificate that gets created when deploying the OVA.

Im now stuck with all browsers blocking access because the valid names on the cert are the DHCP address and "hivemanager-ng.aerohive.com". When adding an exception rule to the browsers to trust the cert, you get looped back to "This Connection is not Secure" and cannot load the controller home page.

I have managed to get the homepage loaded by changing back to the original DHCP address and creating an entry in my local HOSTS file for "hivemanager-ng.aerohive.com", this is less than ideal though as it means the portal can only be accessed from my workstation.

I would really appreciate any assistance as im stuck now and cannot find a way forward.

Re: Certificate problems when deploying new 12.8.2.2 OVA

samantha_lynn — Mon, 04 Feb 2019 23:07:42 GMT

When the hostname of the VA is changed, the certificate will not be regenerated. Ultimately this doesn't change anything, because the root CA isn't trusted either. There should always be a way to proceed to the requested site regardless of the untrusted cert, could you tell me what browsers you've tried this on? For instance we use Firefox when we deploy on premises HiveManagers to test with, and we always have an option to proceed despite the certificate error.

The only way to avoid these messages is to use a commercially signed certificate. I suggest looking here if you're interested, very fairly priced (PositiveSSL is what you want to look at): https://www.namecheap.com/security/ssl-certificates/comodo.aspx

You will want to use an CSR form external to the HM GUI, here is some relevant information on that front:

The certificate bundle imported should be a PEM file. The certificate must be from a commercial, publicly trusted CA. Only commercial CAs that are already in a browser's trust store and conform to the commercial Baseline Requirements (BRs) are supported.

The PEM file needs to contain the server certificate, all intermediate certificates in order of chain of trust, the root CA certificate and then lastly the private key in exactly that order. This can usually be checked in a text editor or can be checked via OpenSSL otherwise.

No success message is currently observed in the UI when a certificate has been uploaded successfully, just so you are aware.

Something else to keep in mind, SAN certificates containing multiple domain names are not supported as the CN needs to be used (a single SAN present with the same value of the CN is expected and normal).

Once a PEM file meeting these requirements has been uploaded, the HiveManager VA should be rebooted.

1) Please check the path to the root and intermediates by reviewing the subject and issuer down the list in OpenSSL (the root will have the same subject and issuer). Example:

openssl crl2pkcs7 -nocrl -certfile example.pem | openssl pkcs7 -print_certs -noout

subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.com

issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

subject=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

*) If you do not observe the server certificate, all intermediate certificates in order of chain of trust, and then the root CA certificate, please correct this.

2) Also confirm that public and private key are matched pairs. Example:

openssl rsa -noout -modulus -in example.pem | openssl sha256

dd8a668dc2e3e45e0b5c1b62b5bf9ef618d41c9e3c96dc8d9e0eabe56bde3265

openssl x509 -noout -modulus -in example.pem | openssl sha256

dd8a668dc2e3e45e0b5c1b62b5bf9ef618d41c9e3c96dc8d9e0eabe56bde3265

3) The private key for the server certificate must be in PKCS8 and not PKCS1 format, that is, you must observe BEGIN PRIVATE KEY and not BEGIN RSA PRIVATE KEY.

This can be checked in a text editor when in PEM format or can be checked via OpenSSL otherwise.

Re: Certificate problems when deploying new 12.8.2.2 OVA

michael_bliss — Tue, 05 Feb 2019 15:24:41 GMT

Thank you for the detailed response.

Ive tried with IE, Edge, FF and Chrome. Its odd behavior for sure, normally if I run into cert issues on a site, I can add an exception and continue as normal, but for some reason this isnt the case with 12.8.2.2.

I currently only have a wildcard cert and our SCM processes are rather slow but ill see if I can get it moving so that we can get this sorted.

In the meantime, I have access to the console via a HOSTS file entry, would it be ok to import the VHM data and start migrating AP's to the new controller, or should I wait until everything is sorted?

Re: Certificate problems when deploying new 12.8.2.2 OVA

samantha_lynn — Fri, 08 Feb 2019 02:46:24 GMT

Thank you for your patience, I've been asking around to see what our best course of action would be and the consensus is that the best path would be to redeploy the HiveManager, let it pull an address from the DHCP server, then assign the address it pulls statically to the HiveManager. Is that something we could try?

Re: Certificate problems when deploying new 12.8.2.2 OVA

michael_bliss — Fri, 08 Feb 2019 13:43:49 GMT

Good Morning, I think that will get me to where I am now. I can access the new controller via aerohive-ng.aerohive.com (entry in hosts) and sign in successfully.

Ive imported the VHM file from my old controller and all settings have moved across. I then set one of my AP's to Managed but for what ever reason, the controller cannot see it.

I can ping the AP from the controller and ping the controller from the AP so im not sure why the AP wont go into a managed state.

The AP i'm trying to add to Managed has this setting set,

capwap client server name cloud-ie-cws-4.aerohive.com

Ive tried changing it to the IP of my new controller but to no avail. Im busy searching the forum for a solution, hopefully Ill find something.

Re: Certificate problems when deploying new 12.8.2.2 OVA

michael_bliss — Fri, 08 Feb 2019 13:49:54 GMT

Winning!!

https://thehivecommunity.aerohive.com/s/article/CAPWAP-Guide-for-HiveManager-NG