- last edited on by
Anusha_Vemula
As a Sr. Technical Support Engineer, I have come across this issue and would like to share my experience here:
On the controller firmware version 3.6.x and above, by default, AP certificate check is enabled on the vSZ/SZ based controllers. Hence APs with expired certificates will not join the controller.
Root Cause:
Ruckus's original Device certificates expired in November 2016. Any device manufactured prior to Nov 2016 will have the old certificate.
I. How do I know this is an AP certificate issue?
A. In AP side
Log in to the AP CLI (SSH) and run the following command:
rkscli: get rpki-cert issuer
The AP with the below output will not join the controller as it has an old certificate.
Output:
Issuer: Ruckus Wireless, Inc.
OK
In a situation when no alarms or events are generated on the controller and AP is not listed in SZ web GUI. We need to check in the vSZ/SZ Snapshot log
B. In SZ side
1. How to download the snapshot log:
Download the snapshot log from controller GUI --> extract the log files --> applogfiles --> nginx --> Access.logs and error.log. (steps shown in the below screenshots)
NOTE:In 6.0+ SZ/vSZ, the file name is ap.log
Screenshot from vSZ 6.0 snapshot:-
2. What to check in the log?
In the Access.log
Search with the AP’s MAC address:
::ffff:192.168.1.59:443 - - [17/Dec/2021:13:01:50 +0000] "PUT /wsg/ap/discovery/D4:68:4D:2B:94:70 HTTP/1.1" 400 208 "-" "-" "-" "0.038"
::ffff:10.177.82.127:443 - - [14/Feb/2022:08:29:06 +0000] "PUT /wsg/ap/discovery/4C:B1:CD:18:E3:30 HTTP/1.1" 400 0 "-" "-" "-" "10.001"
Error code = 400 means, Bad request
In the Error.log
2021/12/17 13:01:50 [warn] 22321#22321: *2684 This is not a trusted certificate, connection will be rejected. while reading client request headers, client: ::ffff:192.168.1.59, server: localhost, request: "PUT /wsg/ap/discovery/D4:68:4D:2B:94:70 HTTP/1.1", host: "192.168.1.31:443"
2021/12/17 13:01:50 [warn] 22321#22321: *2684 client SSL certificate verify error: (10:certificate has expired) while reading client request headers, client: ::ffff:192.168.1.59, server: localhost, request: "PUT /wsg/ap/discovery/D4:68:4D:2B:94:70 HTTP/1.1", host: "192.168.1.31:443"
II. How to solve it?
A. Allowing AP to join the controller
Workaround: We have a workaround to disable the AP-cert check on the controller to make the AP join and then later enable it and follow the above procedure to update the AP certificate.
The command to disable the ap cert check from the vSZ/SZ CLI (SSH):
ruckus>enable
password:
ruckus# config
ruckus(config)# no ap-cert-check
ruckus(config)# exit
To enable the AP cert check again,
ruckus>enable
password:
ruckus# config
ruckus(config)# ap-cert-check
ruckus(config)# exit
NOTE: If you chose to disable the AP cert check and make the AP join then you need to upgrade the AP certificate as discussed in the given link: https://community.ruckuswireless.com/t5/SmartZone-and-Virtual-SmartZone/My-AP-is-Online-but-a-warnin...
B. Update certificate locally in AP
Alternatively, update the AP certificate and then register it onto the vSZ/SZ controller.
- Access the AP GUI using either default IP (192.168.0.1) or the DHCP assigned IP in the web browser.
- Create a Certificate Request file:
Go to Administration --> Management --> Certificate Verification --> Click on Request to release a new certificate. This will generate a .req file.
- Please reach out to Ruckus Support to generate the .req file downloaded from the above step. (https://support.ruckuswireless.com/contact-us)
- Once you receive the .res file, access the AP GUI --> go to Maintenance --> Upgrade --> Select Local Method for the Upgrade --> In Target selection, select Device Certificate --> Choose the .res file --> Upload Certificate.
Note: Usually, this reboots the AP, if it doesn’t reboot the AP then reboot the AP manually Go to Maintenance --> Reboot/Reset and click Reboot Now to reboot the AP.
