Can't find what you need?


• Ask the Community
• Create a Case
Reset Search
 

 

Article

Identity Engines Default Certificates Include Both default and default_256 Versions

« Go Back

Information

 
TitleIdentity Engines Default Certificates Include Both default and default_256 Versions
Symptoms
  • Unable to complete "Create HA Link".
  • Unable to access Ignition via Ignition Dashboard "Socket is closed".
  • Unable to complete a PKG upgrade on an HA deployment.
  • Ignition was upgraded from software release 8.x to 9.x using PKG (package).
  • Ignition Dashboard shows Configuration -> Site 0 -> Certificates -> Certificates with default_<feature>_cert and default_<feature>_cert256 versions.
  • The "UI Port Cert" service is bound to two or more certificates.
  • CLI "reset certificates" returns "Error reseting certificates".
Environment
  • Identity Engines Ignition
  • ​All Software Releases
Cause
During an Ignition 8.x to 9.x PKG upgrade the default MD5-signed certificates were kept for backwards compatibility while introducing a new set of SHA256-signed certificates for 9.x releases. The co-existence of these default certificate pairs can lead to various system failures, primarily in HA deployments.
Resolution
RESOLUTION 1 - REBUILD Configuration
  1. ​Deploy a fresh 9.x-based Ignition OVA.
  2. Rebuild the entire configuration.
  • Recommended for small configurations with minimal authenticators and policy definitions.
  • New permanent licensing is required.

RESOLUTION 2 - PATCH Configuration
  1. Save a backup of your Ignition Server configuration.
  2. Generate a trouble ticket from Ignition Dashboard.
  3. Open a GTAC case using the process How to contact Extreme Networks Global Technical Assistance Center (GTAC) and request manual patching; please reference this article and provide above data.
  4. Restore the patched configuration.
  • Recommended for large or complex configurations with multiple authentications and policy definitions.
  • Manual patching requires modification of an existing configuration. The response is best-effort, generally within two to three business days, excluding weekends. Any configuration changes made after the time of configuration backup (step 1) will need to be redone following restoration of the patched configuration.
  • A maintenance window to restore the configuration is required with Extreme GTAC support.
  • HA configurations will need to be temporarily broken and restored to complete this operation.
Additional notes
Sample display of Certificates via Dashboard suggesting issue is present:
 
Example of Ignition Dashboard Certificates Tab default_cert_256

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255