This site can’t provide a secure connection

Dustin Anderson · ‎12-13-2022

I do have a TAC open, but want to see if anyone has an idea while I'm waiting.

So, we use a public COMODO cert for our portals. I just got the renewed cert and went to install it last weekend. With the new cert, all portals load with:

This site can’t provide a secure connection

ise-t.whatever.com uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I thought maybe the cert, or key was incorrect, so I put the old cert back and the portals worked.

Monday, I spun up a test VM same as production of 3.1 patch 4. I started with the new cert and the portals worked, but then changing to the old cert caused the same error. But, changing back to the new did not correct it, so I'm guessing I got lucky in prod that the old cert took.

I'm currently downloading patch 5 to try on the test, but don't see any bugs related that it could be.

My thoughts are it could be due to it being a renewal and they both use the same key. Testing this is a pain since it's a public cert and we would have to revoke and do a new CSR to test.

Any suggestions would be appreciated. I have about 10 days until my cert dies.

marce1000 · ‎12-13-2022

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc64480

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

marce1000 · ‎12-13-2022

- What error do you get in Firefox ?

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Dustin Anderson · ‎12-13-2022

basically the same.

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

marce1000 · ‎12-13-2022

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc64480

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Dustin Anderson · ‎12-13-2022

Thanks, that seems to be the bug. weird part is I tried rebooting yesterday and still had the issue, but seems to be working today. Only difference is I added patch 5 to the test node.

I'm going to restore it back to patch 4 and see if rebooting still works, will tell me if I have to also install patch 5 on my production before it works or not.

dubeyshivprakash09 · ‎12-26-2022

@marce1000 wrote:

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc64480
Pls confirm how I can download expired certificate from Cisco.

dubeyshivprakash09 · ‎12-26-2022

Just want to download expired ccie security written exam certificate

Dustin Anderson · ‎12-13-2022

ok, not crazy. On 3.1 patch 4, the reboot workaround does not work. Applying patch 5 and verifying that still works.

Dustin Anderson · ‎12-13-2022

Ok, patch 5 kicked in the new cert, so it appears to be the bug, with the caveat of needing patch 5 for the workaround to work. Will have to fix production this weekend.

EU UC Support · ‎05-09-2023

Hey Dustin, we're currently hit with the bug but on the report is only mentions we need to "reload ISE server". Do you know if this is all of the nodes? Just the PSNs?

Thanks

Dustin Anderson · ‎05-09-2023

If you are on patch 5+, I believe the reboot should work. without 5 reboot did not fix the issue. The issue is with renewal, so could also maybe regenerate a completely new cert, but not sure.

I would suspect all nodes, but we just have a 2 node deployment, so can't verify that myself.

Sri Harsha Dasari · ‎05-30-2023

I had the same issue, moved portal certificate to another cert(admin/default), then deleted old and new portal certs.
Now reloaded PSN's and then PAN. Now, imported the new certificate back. Then it took the new certificate and is working fine.

Thanks, Sri.

ISE 3.1 certificate issue

This site can’t provide a secure connection