cancel
Showing results for 
Search instead for 
Did you mean: 

New AP’s not joining the vSZ/SZ due to expired AP certificate

sarita_shekhar
Moderator
Moderator
As a Sr. Technical Support Engineer, I have come across this issue and would like to share my experience here:

On the controller firmware version 3.6.x and above, by default, AP certificate check is enabled on the vSZ/SZ based controllers. Hence APs with expired certificates will not join the controller.

Root Cause:

Ruckus's original Device certificates expired in November 2016. Any device manufactured prior to Nov 2016 will have the old certificate.

I. How do I know this is an AP certificate issue?

                    A.  In AP side

                              Log in to the AP CLI (SSH) and run the following command:

                                        rkscli: get rpki-cert issuer

                              The AP with the below output will not join the controller as it has an old certificate.

                              Output:

                                        Issuer: Ruckus Wireless, Inc.
                                        OK

                    In a situation when no alarms or events are generated on the controller and AP is not listed in SZ web GUI. We need to check in the vSZ/SZ Snapshot log

                    B. In SZ side

                              1. How to download the snapshot log:

                              Download the snapshot log from controller GUI --> extract the log files --> applogfiles -->                               nginx --> Access.logs and error.log. (steps shown in the below screenshots)

                    sshekhar_0-1646212441942.png

                    sshekhar_1-1646212441944.png

                    sshekhar_2-1646212441945.png

          NOTE:In 6.0+ SZ/vSZ, the file name is ap.log

                    Screenshot from vSZ 6.0 snapshot:-

                    sshekhar_3-1646212441951.png

                    sshekhar_4-1646212441953.png

                              2. What to check in the log?

                              In the Access.log

                                        Search with the AP’s MAC address:

                                                  ::ffff:192.168.1.59:443 - - [17/Dec/2021:13:01:50 +0000] "PUT /wsg/ap/discovery/D4:68:4D:2B:94:70 HTTP/1.1" 400 208 "-" "-" "-" "0.038"

                                                  ::ffff:10.177.82.127:443 - - [14/Feb/2022:08:29:06 +0000] "PUT /wsg/ap/discovery/4C:B1:CD:18:E3:30 HTTP/1.1" 400 0 "-" "-" "-" "10.001"

                    Error code = 400 means, Bad request

                              In the Error.log

                                        2021/12/17 13:01:50 [warn] 22321#22321: *2684 This is not a trusted certificate, connection will be rejected. while reading client request headers, client: ::ffff:192.168.1.59, server: localhost, request: "PUT /wsg/ap/discovery/D4:68:4D:2B:94:70 HTTP/1.1", host: "192.168.1.31:443"

                                        2021/12/17 13:01:50 [warn] 22321#22321: *2684 client SSL certificate verify error: (10:certificate has expired) while reading client request headers, client: ::ffff:192.168.1.59, server: localhost, request: "PUT /wsg/ap/discovery/D4:68:4D:2B:94:70 HTTP/1.1", host: "192.168.1.31:443"

II. How to solve it?

                     A. Allowing AP to join the controller

                     Workaround: We have a workaround to disable the AP-cert check on the controller to make the AP join and then later enable it and follow the above procedure to update the AP certificate.

                    The command to disable the ap cert check from the vSZ/SZ CLI (SSH):

                              ruckus>enable
                              password:
                              ruckus# config
                              ruckus(config)# no ap-cert-check
                              ruckus(config)# exit

                   To enable the AP cert check again,

                              ruckus>enable
                              password:
                              ruckus# config
                              ruckus(config)# ap-cert-check
                              ruckus(config)# exit

NOTE: If you chose to disable the AP cert check and make the AP join then you need to upgrade the AP certificate as discussed in the given link: https://community.ruckuswireless.com/t5/SmartZone-and-Virtual-SmartZone/My-AP-is-Online-but-a-warnin...

                     B. Update certificate locally in AP

                     Alternatively, update the AP certificate and then register it onto the vSZ/SZ controller.

  1. Access the AP GUI using either default IP (192.168.0.1) or the DHCP assigned IP in the web browser.
  2. Create a Certificate Request file:

                              Go to Administration --> Management --> Certificate Verification --> Click on Request to release a new certificate. This will generate a .req file.

                     sshekhar_5-1646212441957.png

  1. Go to https://certrenewal.ruckuswireless.com/ and import the .req file and give your e-mail address.
  2. Once you receive the .res file, access the AP GUI --> go to Maintenance --> Upgrade --> Select Local Method for the Upgrade --> In Target selection, select Device Certificate --> Choose the .res file --> Upload Certificate.

                    sshekhar_6-1646212441960.png

Note: Usually, this reboots the AP, if it doesn’t reboot the AP then reboot the AP manually Go to Maintenance --> Reboot/Reset and click Reboot Now to reboot the AP.

0 REPLIES 0