%UPDATE-3-CERT_INST_FAIL: updcode.c:3686 Failed to install certificate. rc = 1

0
250

You might have seen my recent post on generating and installing a third-party signed certificate on a Cisco WLC. I recently had to go through this same process for my annual certificate renewal. This time though I faced a new error though:

%UPDATE-3-CERT_INST_FAIL: updcode.c:3686 Failed to install certificate. rc = 1

Every time I uploaded the signed and bundled certificate (via the gui or command line), I would receive that error in the logs. I tried regenerating the cert in different ways with different methods and different versions of openssl. No luck. Time to roll out the debugs.

There are two different debug commands that we ran for this issue:

  • debug transfer all enable
  • debug pm pki enable

We ran these in prod while uploading the new certificate, but as always, do so at your own risk with any debug commands. As I said, after we ran these debug commands, we tried installing the certificate again via the command line interface. We then watched for the output:

 

(Cisco Controller) >transfer download start
 
 
 
Mode............................................. TFTP
 
Data Type........................................ Site Cert
 
TFTP Server IP................................... 10.0.0.100
 
TFTP Packet Timeout.............................. 10
 
TFTP Max Retries................................. 10
 
TFTP Path........................................ /
 
TFTP Filename.................................... wireless-cert.pem
 
 
 
This may take some time.
 
Are you sure you want to start? (y/N) y
 
*sshpmLscTask: Apr 16 09:45:42.195: sshpmLscTask: LSC Task received a message 4
 
*TransferTask: Apr 16 09:46:32.525: Memory overcommit policy changed from 0 to 1
 
 
 
*TransferTask: Apr 16 09:46:32.525: RESULT_STRING: TFTP Webauth cert transfer starting.
 
 
 
*TransferTask: Apr 16 09:46:32.525: RESULT_CODE:1
 
 
 
 
 
TFTP Webauth cert transfer starting.
 
*TransferTask: Apr 16 09:46:36.531: TFTP: Binding to remote=10.0.0.100
 
 
 
*TransferTask: Apr 16 09:46:36.535: TFP End: 7687 bytes transferred (0 retransmitted packets)
 
 
 
*TransferTask: Apr 16 09:46:36.535: tftp rc=0, pHost=10.0.0.100 pFilename=/wireless-cert.pem
 
                                                                                                pLocalFilename=cert.p12
 
 
 
*TransferTask: Apr 16 09:46:36.542: RESULT_STRING: TFTP receive complete... Installing Certificate.
 
 
 
 
 
TFTP receive complete... Installing Certificate.
 
*TransferTask: Apr 16 09:46:36.542: RESULT_CODE:13
 
 
 
*TransferTask: Apr 16 09:46:40.547: Adding cert (7627 bytes) with certificate key password.
 
 
 
*TransferTask: Apr 16 09:46:40.547: Add WebAuth Cert: Adding certificate & private key using password OLDCERTKEYHERE
 
*TransferTask: Apr 16 09:46:40.547: Add ID Cert: Adding certificate & private key using password OLDCERTKEYHERE
 
*TransferTask: Apr 16 09:46:40.547: Add Cert to ID Table: Adding certificate (name: bsnSslWebauthCert) to ID table using password OLDCERTKEYHERE
 
*TransferTask: Apr 16 09:46:40.547: Add Cert to ID Table: Decoding PEM-encoded Certificate (verify: YES)
 
*TransferTask: Apr 16 09:46:40.547: Decode & Verify PEM Cert: Cert/Key Length was 0, so taking string length instead
 
*TransferTask: Apr 16 09:46:40.547: Decode & Verify PEM Cert: Cert/Key Length 7627 & VERIFY
 
*TransferTask: Apr 16 09:46:40.548: Decode & Verify PEM Cert: X509 Cert Verification return code: 1
 
*TransferTask: Apr 16 09:46:40.548: Decode & Verify PEM Cert: X509 Cert Verification result text: ok
 
*TransferTask: Apr 16 09:46:40.548: Add Cert to ID Table: Decoding PEM-encoded Private Key using password OLDCERTKEYHERE
 
*TransferTask: Apr 16 09:46:40.548: Decode PEM Private Key: Error reading Private Key from PEM-encoded PKCS12 bundle using password OLDCERTKEYHERE
 
*TransferTask: Apr 16 09:46:40.548: Add ID Cert: Error decoding / adding cert to ID cert table (verifyChain: TRUE)
 
*TransferTask: Apr 16 09:46:40.548: Add WebAuth Cert: Error adding ID cert
 
*TransferTask: Apr 16 09:46:40.548: RESULT_STRING: Error installing certificate.
 
 
 
 
 
*TransferTask: Apr 16 09:46:40.548: RESULT_CODE:12
 
 
 
 
 
Error installing certificate.

Read through that output. You will notice that it tries to keep installing the certificate with the password of “OLDCERTKEYHERE” (yes I cleaned the password from the actual logs). Basically what was happening was that no matter if I entered my new password for the PEM certificate I generated via the gui or command line, for some reason the controller kept using an old, cached password from the past for some reason. We can’t explain it at this point, but if I find the cause I will update this post. I regenerated the certificate and used OLDCERTKEYHERE for the PEM password this time. Re-tried the upload and it all worked immediately. Go figure.

The main reason for the post was to take this error if you are getting it and know the debugs that you might be able to run to try to find the issue. In this case, it was glaringly obvious what the issue was. Hopefully it can do the same for you!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.