cancel
Showing results for 
Search instead for 
Did you mean: 

Certificate problems when deploying new 12.8.2.2 OVA

Certificate problems when deploying new 12.8.2.2 OVA

michael_bliss
New Contributor

Ive deployed the 12.8.2.2 OVA to VMWare ESXi 6.7, as Im sure everyone is aware, in 6.7 you cannot pre-configure IP address and Hostname when deploying the OVA any more, this means you get stuck with a DHCP address and "hivemanager-ng.aerohive.com" as the hostname.

 

Ive tried changing these details via the HMVA Management portal, and while it does change the IP and Hostname, it doesnt seem to change the certificate that gets created when deploying the OVA.

 

Im now stuck with all browsers blocking access because the valid names on the cert are the DHCP address and "hivemanager-ng.aerohive.com". When adding an exception rule to the browsers to trust the cert, you get looped back to "This Connection is not Secure" and cannot load the controller home page.

 

I have managed to get the homepage loaded by changing back to the original DHCP address and creating an entry in my local HOSTS file for "hivemanager-ng.aerohive.com", this is less than ideal though as it means the portal can only be accessed from my workstation.

 

I would really appreciate any assistance as im stuck now and cannot find a way forward.

5 REPLIES 5

samantha_lynn
Esteemed Contributor III

When the hostname of the VA is changed, the certificate will not be regenerated. Ultimately this doesn't change anything, because the root CA isn't trusted either. There should always be a way to proceed to the requested site regardless of the untrusted cert, could you tell me what browsers you've tried this on? For instance we use Firefox when we deploy on premises HiveManagers to test with, and we always have an option to proceed despite the certificate error.

 

The only way to avoid these messages is to use a commercially signed certificate. I suggest looking here if you're interested, very fairly priced (PositiveSSL is what you want to look at): https://www.namecheap.com/security/ssl-certificates/comodo.aspx

 

You will want to use an CSR form external to the HM GUI, here is some relevant information on that front:

 

The certificate bundle imported should be a PEM file. The certificate must be from a commercial, publicly trusted CA. Only commercial CAs that are already in a browser's trust store and conform to the commercial Baseline Requirements (BRs) are supported. 

 

The PEM file needs to contain the server certificate, all intermediate certificates in order of chain of trust, the root CA certificate and then lastly the private key in exactly that order. This can usually be checked in a text editor or can be checked via OpenSSL otherwise. 

 

No success message is currently observed in the UI when a certificate has been uploaded successfully, just so you are aware. 

 

Something else to keep in mind, SAN certificates containing multiple domain names are not supported as the CN needs to be used (a single SAN present with the same value of the CN is expected and normal).

 

Once a PEM file meeting these requirements has been uploaded, the HiveManager VA should be rebooted. 

 

1) Please check the path to the root and intermediates by reviewing the subject and issuer down the list in OpenSSL (the root will have the same subject and issuer). Example:

 

openssl crl2pkcs7 -nocrl -certfile example.pem | openssl pkcs7 -print_certs -noout 

subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.com 

issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 

 

subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 

issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 

 

subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 

issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 

 

subject=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 

issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 

 

*) If you do not observe the server certificate, all intermediate certificates in order of chain of trust, and then the root CA certificate, please correct this. 

 

2) Also confirm that public and private key are matched pairs. Example:

 

openssl rsa -noout -modulus -in example.pem | openssl sha256 

dd8a668dc2e3e45e0b5c1b62b5bf9ef618d41c9e3c96dc8d9e0eabe56bde3265 

 

openssl x509 -noout -modulus -in example.pem | openssl sha256 

dd8a668dc2e3e45e0b5c1b62b5bf9ef618d41c9e3c96dc8d9e0eabe56bde3265 

 

3) The private key for the server certificate must be in PKCS8 and not PKCS1 format, that is, you must observe BEGIN PRIVATE KEY and not BEGIN RSA PRIVATE KEY. 

This can be checked in a text editor when in PEM format or can be checked via OpenSSL otherwise. 

 

 

 

GTM-P2G8KFN