This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Legacy
- Aerohive Migrated Content
- Certificate problems when deploying new 12.8.2.2 O...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Certificate problems when deploying new 12.8.2.2 OVA
Certificate problems when deploying new 12.8.2.2 OVA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-04-2019 07:10 AM
Ive deployed the 12.8.2.2 OVA to VMWare ESXi 6.7, as Im sure everyone is aware, in 6.7 you cannot pre-configure IP address and Hostname when deploying the OVA any more, this means you get stuck with a DHCP address and "hivemanager-ng.aerohive.com" as the hostname.
Ive tried changing these details via the HMVA Management portal, and while it does change the IP and Hostname, it doesnt seem to change the certificate that gets created when deploying the OVA.
Im now stuck with all browsers blocking access because the valid names on the cert are the DHCP address and "hivemanager-ng.aerohive.com". When adding an exception rule to the browsers to trust the cert, you get looped back to "This Connection is not Secure" and cannot load the controller home page.
I have managed to get the homepage loaded by changing back to the original DHCP address and creating an entry in my local HOSTS file for "hivemanager-ng.aerohive.com", this is less than ideal though as it means the portal can only be accessed from my workstation.
I would really appreciate any assistance as im stuck now and cannot find a way forward.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-04-2019 03:07 PM
When the hostname of the VA is changed, the certificate will not be regenerated. Ultimately this doesn't change anything, because the root CA isn't trusted either. There should always be a way to proceed to the requested site regardless of the untrusted cert, could you tell me what browsers you've tried this on? For instance we use Firefox when we deploy on premises HiveManagers to test with, and we always have an option to proceed despite the certificate error.
The only way to avoid these messages is to use a commercially signed certificate. I suggest looking here if you're interested, very fairly priced (PositiveSSL is what you want to look at): https://www.namecheap.com/security/ssl-certificates/comodo.aspx
You will want to use an CSR form external to the HM GUI, here is some relevant information on that front:
The certificate bundle imported should be a PEM file. The certificate must be from a commercial, publicly trusted CA. Only commercial CAs that are already in a browser's trust store and conform to the commercial Baseline Requirements (BRs) are supported.
The PEM file needs to contain the server certificate, all intermediate certificates in order of chain of trust, the root CA certificate and then lastly the private key in exactly that order. This can usually be checked in a text editor or can be checked via OpenSSL otherwise.
No success message is currently observed in the UI when a certificate has been uploaded successfully, just so you are aware.
Something else to keep in mind, SAN certificates containing multiple domain names are not supported as the CN needs to be used (a single SAN present with the same value of the CN is expected and normal).
Once a PEM file meeting these requirements has been uploaded, the HiveManager VA should be rebooted.
1) Please check the path to the root and intermediates by reviewing the subject and issuer down the list in OpenSSL (the root will have the same subject and issuer). Example:
openssl crl2pkcs7 -nocrl -certfile example.pem | openssl pkcs7 -print_certs -noout
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
subject=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
subject=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
*) If you do not observe the server certificate, all intermediate certificates in order of chain of trust, and then the root CA certificate, please correct this.
2) Also confirm that public and private key are matched pairs. Example:
openssl rsa -noout -modulus -in example.pem | openssl sha256
dd8a668dc2e3e45e0b5c1b62b5bf9ef618d41c9e3c96dc8d9e0eabe56bde3265
openssl x509 -noout -modulus -in example.pem | openssl sha256
dd8a668dc2e3e45e0b5c1b62b5bf9ef618d41c9e3c96dc8d9e0eabe56bde3265
3) The private key for the server certificate must be in PKCS8 and not PKCS1 format, that is, you must observe BEGIN PRIVATE KEY and not BEGIN RSA PRIVATE KEY.
This can be checked in a text editor when in PEM format or can be checked via OpenSSL otherwise.
