cancel
Showing results for 
Search instead for 
Did you mean: 

Switch can't connect to HiveManager! Get following message: Peer certificate cannot be authenticated with given CA certifcates.

Switch can't connect to HiveManager! Get following message: Peer certificate cannot be authenticated with given CA certifcates.

benjamin_heravi
New Contributor

I have three SR2224P switches and they fail to get connected to HiveManager. I get the following message when I check the Hivemanager status: "Peer certificate cannot be authenticated with given CA certifcates". What could be the reson?

 

PS: I updated the HiveAgent to 1.1.19.0 , OS version is 1.0.1.26, have google dns and aerohive sntp is configured (checked time) on all switches but still have the same problem.

 

 

5 REPLIES 5

samantha_lynn
Esteemed Contributor III

That is correct, a public IPv4 address will not work. You would want to manage the devices via the HiveManager, and/or a site-to-site tunnel would work as well.

benjamin_heravi
New Contributor

Thank you Sam!

If i don't misunderstand you, it's not possible to connect the Aerohive Switches to HiveManager NGs (on-premise) public IPv4. Is that right? So how can we manage the Aerohive switches at the customer site? Should we always create a site-to-site tunnel or there is another way?

samantha_lynn
Esteemed Contributor III

In Aerohive's current design is there is no support for the HiveManager VA when resolved to a public IPv4 address on a switch in HiveAgent.

 

This is unsupported because Aerohive's engineering designed this in way which means that a public IPv4 is only functional where HiveAgent is connecting to Aerohive's Cloud HiveManager, explicitly using only the Comodo root that is in use for the Cloud at https://cloud.aerohive.com/

 

When HiveManager is resolved to a private IPv4 address, a lower level of certificate checking takes place and the self-signed certificate is supported by design. When HiveManager is resolved to a public IPv4 address, a higher level of certificate checks takes place and the self-signed certificate is not supported by design.

 

If for example, Aerohive changed its root from Comodo to a different one in the future, the deployment might be subject to breaking, it would be fragile and at risk to this. Therefore, there this set up is not supported.

benjamin_heravi
New Contributor

Our HiveManager is resolved by a public IPv4 address and our customers devices reach HM by redirector & public ip. We have accesspoints connected to these switches at the customer site and they get connected to our HM but not switches.

GTM-P2G8KFN