02-09-2024 07:05 AM
For some reason one of our pair of WLC 9800 will not accept DNAC-CA certificate.
A sync or push of telemetry from DNA fails. All our other devices are fine.
If we try a CLI import of the certificate we get this:
Trustpoint 'DNAC-CA' is a subordinate CA.
Authentication failed - could not validate certificate
% Error in saving certificate: status = FAIL
Any ideas why this is happening on this one device?
Solved! Go to Solution.
02-13-2024 12:29 AM
Finally figured this out after some extensive debugging. Basically it was two issues. The WLC was unable to do a Certificate Revocation check and the full cert chain was not in the cert being uploaded. Once they were addressed it uploaded fine.
04-25-2024 12:04 AM
As I recall it i deleted the existing trustpoint DNAC-CA.
Recreated it with the line "revocation-check crl none" e.g.
crypto pki trustpoint DNAC-CA
enrollment mode ra
enrollment terminal
usage ssl-client
revocation-check crl none
source interface GigabitEthernet0
Then manually imported the full cert chain.
DNA error then cleared and telemetry came in.
02-12-2024 02:18 AM
Do you have port http/80 open from the WLC to the DNAC?
02-12-2024 02:48 AM
Yes the port is open. A debug isn't giving anything useful either unfortunately.
02-12-2024 05:28 PM
Did you configure default aaa methods for authentication and authorization on C9800?
aaa authentication login default local (or group)
aaa authorization exec default local (or group)
02-13-2024 12:29 AM
Finally figured this out after some extensive debugging. Basically it was two issues. The WLC was unable to do a Certificate Revocation check and the full cert chain was not in the cert being uploaded. Once they were addressed it uploaded fine.
04-24-2024 05:07 PM
How did you address/fix those issues?
04-25-2024 12:04 AM
As I recall it i deleted the existing trustpoint DNAC-CA.
Recreated it with the line "revocation-check crl none" e.g.
crypto pki trustpoint DNAC-CA
enrollment mode ra
enrollment terminal
usage ssl-client
revocation-check crl none
source interface GigabitEthernet0
Then manually imported the full cert chain.
DNA error then cleared and telemetry came in.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide