Meraki

Community

Custom Hostname Cert issues AutoVPN - ZeroSSL

Solved
ToryDav
Building a reputation
‎Feb 3 2023 1:33 PM
‎Feb 3 2023 1:33 PM

Custom Hostname Cert issues AutoVPN - ZeroSSL

Hello,

Do you think it is possible to use a certificate from Zero SSL? I have applied a static IP on my MX, configured public DNS A record to resolve to my desired domain name, generated the CSR in Dashboard, pasted that into the feild where applicable for Zero SSL to generate my Cert. I get back the certificate and ca_bundle, but when I upload these I get error messages back and can't seem to get anywhere.

Anyone have a recommendation to get this working for a free or low-cost certificate? I like Zero SSL, but if I can't use them.. 

Error :



"

There were errors in uploading the certificates.

Unknown Error Failed verifying Device Cert with Cert Chain

"

I'd love to finally see this work so I can better help my customers move over to Anyconnect on MX.

Labels:
0 Kudos
1 Accepted Solution
ToryDav
Building a reputation
‎Feb 5 2023 5:41 AM
‎Feb 5 2023 5:41 AM

I took another crack at this and did successfully upload and save my certificate generated from www.zerossl.com this morning.

I used https://whatsmychaincert.com/ to generate the correct certificate chain and checked the box to include the root certificate. 

This chain, with the ZEROSSL certificate was the winning combo. I did not use the ca_bundle.crt provided by ZERO SSL.

I will write up a tutorial on how I did this and share soon.

Cheers

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 3 2023 3:44 PM
‎Feb 3 2023 3:44 PM

Nope, SSL is required to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and convey trust to users. The chain of trust of a certificate chain is an ordered list of certificates, containing an end-user signer certificate and intermediate certificates (which represent the intermediate CA), which allows the recipient to verify that the sender and all intermediate certificates are trusted.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 3 2023 3:45 PM
‎Feb 3 2023 3:45 PM

Also check it: https://letsencrypt.org/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
ToryDav
Building a reputation
‎Feb 5 2023 5:24 AM
‎Feb 5 2023 5:24 AM

Hi @alemabrahao, thanks for the reply. ZeroSSL is actually the name of the company I get my SSL certificate from. 

I just don't know how to get the correct certificate chain as the bundle they provide doesn't seem to work for Meraki AutoVPN

https://zerossl.com/

0 Kudos
In response to ToryDav
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 5 2023 5:48 AM
‎Feb 5 2023 5:48 AM

Oh, I got it. I had never heard of them, but I thought it was interesting.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
ToryDav
Building a reputation
‎Feb 5 2023 6:06 AM
‎Feb 5 2023 6:06 AM

I had never heard of them either. So far I like them, fast and easy 90 day certificates. What's really neat to me is the API. Haven't tested it too much yet however.

ToryDav_0-1675606159548.png

https://zerossl.com/developer/

0 Kudos
In response to alemabrahao
AlexP
Meraki Employee
Meraki Employee
‎Apr 6 2023 10:37 AM
‎Apr 6 2023 10:37 AM

FYI, as the answer in this thread ultimately alludes to, we require a self-signed root as part of the uploaded chain in addition to any intermediates required to validate the end-device certificate.

0 Kudos
ToryDav
Building a reputation
‎Feb 5 2023 5:41 AM
‎Feb 5 2023 5:41 AM

I took another crack at this and did successfully upload and save my certificate generated from www.zerossl.com this morning.

I used https://whatsmychaincert.com/ to generate the correct certificate chain and checked the box to include the root certificate. 

This chain, with the ZEROSSL certificate was the winning combo. I did not use the ca_bundle.crt provided by ZERO SSL.

I will write up a tutorial on how I did this and share soon.

Cheers

In response to ToryDav
ehutson82
Here to help
‎Mar 28 2023 1:47 PM
‎Mar 28 2023 1:47 PM

Hi,

 

I'm trying to get this going with the zerossl cert however it's still not working, what steps did you take to get it going? I generated chain with the root cert through whatsmychaincert.com and still get the "

  • Unknown Error Failed verifying Device Cert with Cert Chain" Error. I see that you were able to get this done successfully, can you give tips on how?
0 Kudos
In response to ehutson82
_Pietro
Here to help
‎Apr 5 2023 6:40 AM
‎Apr 5 2023 6:40 AM

Hi, 

Paste the contents of the issued cert (open in notepad for example) and check off include root.

If you didn't navigate away from the Meraki Dashboard page and still have the cert upload "popup" open, close the error message and try again. 

0 Kudos
In response to _Pietro
ehutson82
Here to help
‎Apr 5 2023 1:56 PM
‎Apr 5 2023 1:56 PM

So once you hit generate chain, do you upload what is downloaded to your machine? If so to what part on the client VPN setup: Upload Device Certificate as .cer in base64 ASCII format, .pem, or .crt or Upload CA certificate or chained certificate (combined CA and Intermediate certs) as .cer in base64 ASCII format, .pem, or .crt?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.