03-02-2022 01:18 AM - last edited on 09-21-2022 04:25 AM by Anusha_Vemula
On the controller firmware version 3.6.x and above, by default, AP certificate check is enabled on the vSZ/SZ based controllers. Hence APs with expired certificates will not join the controller.
Ruckus's original Device certificates expired in November 2016. Any device manufactured prior to Nov 2016 will have the old certificate.
Log in to the AP CLI (SSH) and run the following command:
rkscli: get rpki-cert issuer
The AP with the below output will not join the controller as it has an old certificate.
Output:
Issuer: Ruckus Wireless, Inc.
OK
In a situation when no alarms or events are generated on the controller and AP is not listed in SZ web GUI. We need to check in the vSZ/SZ Snapshot log
Download the snapshot log from controller GUI --> extract the log files --> applogfiles --> nginx --> Access.logs and error.log. (steps shown in the below screenshots)
NOTE:In 6.0+ SZ/vSZ, the file name is ap.log
Screenshot from vSZ 6.0 snapshot:-
In the Access.log
Search with the AP’s MAC address:
::ffff:192.168.1.59:443 - - [17/Dec/2021:13:01:50 +0000] "PUT /wsg/ap/discovery/D4:68:4D:2B:94:70 HTTP/1.1" 400 208 "-" "-" "-" "0.038"
::ffff:10.177.82.127:443 - - [14/Feb/2022:08:29:06 +0000] "PUT /wsg/ap/discovery/4C:B1:CD:18:E3:30 HTTP/1.1" 400 0 "-" "-" "-" "10.001"
Error code = 400 means, Bad request
In the Error.log
2021/12/17 13:01:50 [warn] 22321#22321: *2684 This is not a trusted certificate, connection will be rejected. while reading client request headers, client: ::ffff:192.168.1.59, server: localhost, request: "PUT /wsg/ap/discovery/D4:68:4D:2B:94:70 HTTP/1.1", host: "192.168.1.31:443"
2021/12/17 13:01:50 [warn] 22321#22321: *2684 client SSL certificate verify error: (10:certificate has expired) while reading client request headers, client: ::ffff:192.168.1.59, server: localhost, request: "PUT /wsg/ap/discovery/D4:68:4D:2B:94:70 HTTP/1.1", host: "192.168.1.31:443"
Workaround: We have a workaround to disable the AP-cert check on the controller to make the AP join and then later enable it and follow the above procedure to update the AP certificate.
The command to disable the ap cert check from the vSZ/SZ CLI (SSH):
ruckus>enable
password:
ruckus# config
ruckus(config)# no ap-cert-check
ruckus(config)# exit
To enable the AP cert check again,
ruckus>enable
password:
ruckus# config
ruckus(config)# ap-cert-check
ruckus(config)# exit
NOTE: If you chose to disable the AP cert check and make the AP join then you need to upgrade the AP certificate as discussed in the given link: https://community.ruckuswireless.com/t5/SmartZone-and-Virtual-SmartZone/My-AP-is-Online-but-a-warnin...
Alternatively, update the AP certificate and then register it onto the vSZ/SZ controller.
Go to Administration --> Management --> Certificate Verification --> Click on Request to release a new certificate. This will generate a .req file.
Note: Usually, this reboots the AP, if it doesn’t reboot the AP then reboot the AP manually Go to Maintenance --> Reboot/Reset and click Reboot Now to reboot the AP.