由于证书握手失败导致的ASA智能许可失败
下载选项
已更新: 2018 年 11 月 27 日
文档 ID:213932
非歧视性语言
此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。
关于此翻译
思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。
简介
本文档介绍如何解决2016年3月和2018年10月发生的更改,在更改中,托管tools.cisco.com的Web服务器迁移到不同的根证书颁发机构(CA)证书。迁移后,某些ASA(自适应安全设备)设备在注册ID令牌或尝试更新现有授权时无法连接到智能软件许可门户(托管于tools.cisco.com上)。这被确定为证书相关问题。具体而言,提供给ASA的新证书由与ASA预期不同的中间CA签名,并已预装。
问题
尝试将ASAv注册到智能软件许可门户时,注册失败,连接或通信失败。show license registration和call-home测试配置文件许可证命令显示这些输出。
ASAv# show license registration
Registration Status: Retry In Progress.
Registration Start Time: Mar 22 13:25:46 2016 UTC
Registration Status: Retry In Progress.
Registration Start Time: Mar 22 13:25:46 2016 UTC
Last Retry Start Time: Mar 22 13:26:32 2016 UTC.
Next Scheduled Retry Time: Mar 22 13:45:31 2016 UTC.
Number of Retries: 1.
Last License Server response time: Mar 22 13:26:32 2016 UTC.
Last License Server response message: Communication message send response error
ASAv# call-home test profile License INFO: Sending test message to https://tools.cisco.com/its/service/oddce/services/DDCEService... ERROR: Failed: CONNECT_FAILED(35)
但是,ASAv可以解析tools.cisco.com,并通过TCP ping在TCP端口443上连接。
系统日志和调试输出
尝试注册后,ASAv上的系统日志输出将显示:
%ASA-3-717009: Certificate validation failed. No suitable trustpoints found to validate
certificate serial number: 250CE8E030612E9F2B89F7058FD, subject name:
cn=VeriSign Class 3 Public Primary Certification Authority - G5,ou=(c) 2006 VeriSign\, Inc.
- For authorized use only,ou=VeriSign Trust Network,o=VeriSign\, Inc.,c=US, issuer name:
ou=Class 3 Public Primary Certification Authority,o=VeriSign\, Inc.,c=US . %ASA-3-717009: Certificate validation failed. No suitable trustpoints found to validate
certificate serial number: 513FB9743870B73440418699FF, subject name:
cn=Symantec Class 3 Secure Server CA - G4,ou=Symantec Trust Network,o=Symantec
Corporation,c=US, issuer name: cn=VeriSign Class 3 Public Primary Certification Authority
- G5,ou=(c) 2006 VeriSign\, Inc. - For authorized use only,ou=VeriSign Trust Network,
o=VeriSign\, Inc.,c=US .
有关详细信息,请在尝试其他注册时运行这些debug命令。出现安全套接字层错误。
debug license 255 debug license agent all debug call-home all
debug ssl 255
具体而言,此消息被视为该输出的一部分:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed@s3_clnt.c:1492
在默认ASAv配置中,有一个名为_SmartCallHome_ServerCA的信任点,该信任点已加载证书并颁发给主题名称“cn=Verisign Class 3 Secure Server CA - G3”。
ASAv# show crypto ca certificate
CA Certificate
Status: Available
Certificate Serial Number: 6ecc7aa5a7032009b8cebc2d491
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=VeriSign Class 3 Public Primary Certification Authority - G5
ou=(c) 2006 VeriSign\, Inc. - For authorized use only
ou=VeriSign Trust Network
o=VeriSign\, Inc.
c=US
Subject Name:
cn=VeriSign Class 3 Secure Server CA - G3
ou=Terms of use at https://www.verisign.com/rpa (c)10
ou=VeriSign Trust Network
o=VeriSign\, Inc.
c=US
OCSP AIA:
URL: http://ocsp.verisign.com
CRL Distribution Points:
[1] http://crl.verisign.com/pca3-g5.crl
Validity Date:
start date: 00:00:00 UTC Feb 8 2010
end date: 23:59:59 UTC Feb 7 2020
Associated Trustpoints: _SmartCallHome_ServerCA
但是,在以前的系统日志中,ASA表示它从智能软件许可门户获得证书,该证书由名为“cn=Symantec Class 3 Secure Server CA - G4”的中间人签名。
注意:主题名称相似,但有两个不同:开头是Verisign与Symantec,结尾是G3与G4。
解决方案
ASAv需要下载包含适当中间和/或根证书的信任池才能验证链。
在版本9.5.2及更高版本中,ASAv的信任池配置为在本地时间晚10:00 PM设备自动导入:
ASAv# sh run crypto ca trustpool
crypto ca trustpool policy
auto-import
ASAv# sh run all crypto ca trustpool
crypto ca trustpool policy
revocation-check none
crl cache-time 60
crl enforcenextupdate
auto-import
auto-import url http://www.cisco.com/security/pki/trs/ios_core.p7b
auto-import time 22:00:00
如果这是初始安装,并且当时尚未启用域名系统(DNS)查找和Internet连接,则自动导入未成功,需要手动完成。
在较旧版本(如9.4.x)上,未在设备上配置trustpool auto-import,需要手动导入。
在任何版本上,此命令导入信任池和相关证书:
ASAv# crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b Root file signature verified. You are about to update the current trusted certificate pool with the 17145 byte file at http://www.cisco.com/security/pki/trs/ios_core.p7b Do you want to continue? (y/n) Trustpool import: attempted: 14 installed: 14 duplicates: 0 expired: 0 failed: 0
验证
一旦通过手动命令或等待到本地时间晚10:00之后导入trustpool,此命令将验证信任池中是否已安装证书:
ASAv# show crypto ca trustpool policy
14 trustpool certificates installed
Trustpool auto import statistics:
Last import result: FAILED
Next scheduled import at 22:00:00 UTC Wed Mar 23 2016
Trustpool Policy
Trustpool revocation checking is disabled
CRL cache time: 60 seconds
CRL next update field: required and enforced
Automatic import of trustpool certificates is enabled
Automatic import URL: http://www.cisco.com/security/pki/trs/ios_core.p7b
Download time: 22:00:00
Policy Overrides:
None configured
注意:在上一输出中,上次自动更新导入失败,因为DNS上次自动尝试时未运行,因此它仍将上次自动导入结果显示为失败。但是,手动信任池更新已运行并已成功更新信任池(这就是它显示已安装14个证书的原因)。
安装trustpool后,可以再次运行令牌注册命令,以便向智能软件许可门户注册ASAv。
ASAv# license smart register idtoken id_token force
如果ASAv已注册到智能软件许可门户,但授权续订失败,也可以手动尝试。
ASAv# license smart renew auth
根CA证书更改 — 2018年10月
tools.cisco.com的根CA证书于2018年10月5日(星期五)更改。
如果不允许与http://www.cisco.com/security/pki/trs/ios_core.p7b通信,则当前部署的ASAv版本9.6(2)及更高版本以及运行ASA的Firepower 2100将不受此更改的影响。 在前面提到的所有ASA智能许可平台上都默认启用证书自动导入功能。 “show crypto ca trustpool”的输出包含“QuoVadis Root CA 2”证书:
CA Certificate
Fingerprint: 5e397bddf8baec82e9ac62ba0c54002b
Issuer Name:
cn=QuoVadis Root CA 2
o=QuoVadis Limited
c=BM
Subject Name:
cn=QuoVadis Root CA 2
o=QuoVadis Limited
c=BM
对于新部署,您可以发出“crypto ca trustpool import default”命令并下载包含QuoVadis证书的默认思科证书捆绑包。 如果这不起作用,您可以手动安装证书:
asa(config)# crypto ca trustpoint QuoVadisRootCA2 asa(config-ca-trustpoint)# enrollment terminal asa(config-ca-trustpoint)# crl configure asav(config-ca-crl)# crypto ca authenticate QuoVadisRootCA2 Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv b3QgQ0EgMjAeFw0wNjExMjQxODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNV BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9W YWRpcyBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCa GMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXzL4GtMh6QRr+jhiYaHv5+HBg6XJxg Fyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrGsxDp3MJGF/hd/aTa/55J WpzmM+Yklvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02kfN/+NsRE8Scd3bB rrcCaoF6qUWD4gXmuVbBlDePSHFjIuwXZQeVikvfj8ZaCuWw419eaxGrDPmF60Tp +ARz8un+XJiM9XOva7R+zdRcAitMOeGylZUtQofX1bOQQ7dsE/He3fbE+Ik/0XX1 ksOR1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt66/3FsvbzSUr5R/7mp/i Ucw6UwxI5g69ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1JdxnwQ5hYIiz PtGo/KPaHbDRsSNU30R2be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og /zOhD7osFRXql7PSorW+8oyWHhqPHWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UH oycR7hYQe7xFSkyyBNKr79X9DFHOUGoIMfmR2gyPZFwDwzqLID9ujWc9Otb+fVuI yV77zGHcizN300QyNQliBJIWENieJ0f7OyHj+OsdWwIDAQABo4GwMIGtMA8GA1Ud EwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQahGK8SEwzJQTU7tD2 A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwzJQTU7tD2A8QZRtGUa6FJpEcwRTEL MAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMT ElF1b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQADggIBAD4KFk2f BluornFdLwUvZ+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAXINzn g/iN/Ae42l9NLmeyhP3ZRPx3UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2Bl fF/nJrP3MpCYUNQ3cVX2kiF495V5+vgtJodmVjB3pjd4M1IQWK4/YY7yarHvGH5K WWPKjaJW1acvvFYfzznB4vsKqBUsfU16Y8Zsl0Q80m/DShcK+JDSV6IZUaUtl0Ha B0+pUNqQjZRG4T7wlP0QADj1O+hA4bRuVhogzG9Yje0uRY/W6ZM/57Es3zrWIozc hLsib9D45MY56QSIPMO661V6bYCZJPVsAfv4l7CUW+v90m/xd2gNNWQjrLhVoQPR TUIZ3Ph1WVaj+ahJefivDrkRoHy3au000LYmYjgahwz46P0u05B/B5EqHdZ+XIWD mbA4CD/pXvk1B+TJYm5Xf6dQlfe6yJvmjqIBxdZmv3lh8zwc4bmCXF2gw+nYSL0Z ohEUGW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y 4aOTHcyKJloJONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8VCLAAVBpQ570su9t+Oza 8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u -----END CERTIFICATE----- quit INFO: Certificate has the following attributes: Fingerprint: 5e397bdd f8baec82 e9ac62ba 0c54002b Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Certificate successfully imported
运行ASA的4100/9300平台
此问题已影响运行ASA的字段中的约4100/9300,该ASA依赖于Firepower eXtensible操作系统(FXOS)来提供智能许可信息:
受影响的设备:
FP9300-1-A-A-A /license # show license all
Smart Licensing Status
======================
Smart Licensing is ENABLED
Registration:
Status: REGISTERED
Smart Account: TAC Cisco Systems, Inc.
Virtual Account: CALO
Export-Controlled Functionality: Allowed
Initial Registration: SUCCEEDED on Jul 01 18:37:38 2018 UTC
Last Renewal Attempt: FAILED on Oct 09 17:32:59 2018 UTC
Failure reason: Failed to authenticate server
解决步骤
要解决此问题,您需要创建新的信任点并在FXOS中输入证书数据:
FPR-2-A /license # scope security
FPR-2-A /security # enter trustpoint quovadis
FPR-2-A /security/trustpoint* # set certchain
Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort.
Trustpoint Certificate Chain: (THIS PART NEEDS TO BE COPY/PASTED)
>
-----BEGIN CERTIFICATE-----
MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x
GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv
b3QgQ0EgMjAeFw0wNjExMjQxODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNV
BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9W
YWRpcyBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCa
GMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXzL4GtMh6QRr+jhiYaHv5+HBg6XJxg
Fyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrGsxDp3MJGF/hd/aTa/55J
WpzmM+Yklvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02kfN/+NsRE8Scd3bB
rrcCaoF6qUWD4gXmuVbBlDePSHFjIuwXZQeVikvfj8ZaCuWw419eaxGrDPmF60Tp
+ARz8un+XJiM9XOva7R+zdRcAitMOeGylZUtQofX1bOQQ7dsE/He3fbE+Ik/0XX1
ksOR1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt66/3FsvbzSUr5R/7mp/i
Ucw6UwxI5g69ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1JdxnwQ5hYIiz
PtGo/KPaHbDRsSNU30R2be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og
/zOhD7osFRXql7PSorW+8oyWHhqPHWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UH
oycR7hYQe7xFSkyyBNKr79X9DFHOUGoIMfmR2gyPZFwDwzqLID9ujWc9Otb+fVuI
yV77zGHcizN300QyNQliBJIWENieJ0f7OyHj+OsdWwIDAQABo4GwMIGtMA8GA1Ud
EwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQahGK8SEwzJQTU7tD2
A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwzJQTU7tD2A8QZRtGUa6FJpEcwRTEL
MAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMT
ElF1b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQADggIBAD4KFk2f
BluornFdLwUvZ+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAXINzn
g/iN/Ae42l9NLmeyhP3ZRPx3UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2Bl
fF/nJrP3MpCYUNQ3cVX2kiF495V5+vgtJodmVjB3pjd4M1IQWK4/YY7yarHvGH5K
WWPKjaJW1acvvFYfzznB4vsKqBUsfU16Y8Zsl0Q80m/DShcK+JDSV6IZUaUtl0Ha
B0+pUNqQjZRG4T7wlP0QADj1O+hA4bRuVhogzG9Yje0uRY/W6ZM/57Es3zrWIozc
hLsib9D45MY56QSIPMO661V6bYCZJPVsAfv4l7CUW+v90m/xd2gNNWQjrLhVoQPR
TUIZ3Ph1WVaj+ahJefivDrkRoHy3au000LYmYjgahwz46P0u05B/B5EqHdZ+XIWD
mbA4CD/pXvk1B+TJYm5Xf6dQlfe6yJvmjqIBxdZmv3lh8zwc4bmCXF2gw+nYSL0Z
ohEUGW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y
4aOTHcyKJloJONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8VCLAAVBpQ570su9t+Oza
8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u
-----END CERTIFICATE-----
>ENDOFBUF <---manually type this on a new line after the ----END OF CERTIFICATE---- line and press ENTER
接下来,提交更改,然后续约许可证:
FPR-2-A /security/trustpoint* # comm FPR-2-A /security/trustpoint # scope license FPR-2-A /license # scope licdebug FPR-2-A /license/licdebug # renew
现在,您应验证许可已续约:
FP9300-1-A-A-A /license/licdebug # show license all Smart Licensing Status ====================== Smart Licensing is ENABLED Registration: Status: REGISTERED Smart Account: TAC Cisco Systems, Inc. Virtual Account: CALO Export-Controlled Functionality: Allowed Initial Registration: SUCCEEDED on Jul 01 18:37:38 2018 UTC Last Renewal Attempt: SUCCEEDED on Oct 09 17:39:07 2018 UTC Next Renewal Attempt: Apr 07 17:39:08 2019 UTC Registration Expires: Oct 09 17:33:07 2019 UTC License Authorization: Status: AUTHORIZED on Oct 09 17:39:12 2018 UTC Last Communication Attempt: SUCCESS on Oct 09 17:39:12 2018 UTC Next Communication Attempt: Nov 08 17:39:12 2018 UTC Communication Deadline: Jan 07 17:33:11 2019 UTC
相关信息
由思科工程师提供
- Created by Nate AustinCisco Sales Engineer
- Edited by Ronaldo PunzalanCisco TAC Engineer
- Edited by Cesar Lopez ZamarripaCisco TAC Engineer
反馈