AP无法加入WLC，提示证书过期，如何解决。

eewozhang99087 · ‎05-28-2020

TELNET进AP，发现这样的提示，究竟是WLC的证书过期还是WLC过期
把WLC的时间改为之前的，AP上线一下子又掉线了。应该如何解决？
GigabitEthernet0 assigned DHCP address 10.1.11.102, mask 255.255.255.0, hostname APa44c.116e.0350
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (10.1.11.1)
*Mar 1 00:32:33.836: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:32:42.836: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Mar 1 00:32:52.836: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*May 28 17:24:16.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.11.11 peer_port: 5246
*May 28 17:24:17.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 28 17:24:17.100: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 1321D73300000025B5D0) has expired. Validity period ended on 20:34:38 UTC Sep 4 2017
*May 28 17:24:17.101: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*May 28 17:24:17.101: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*May 28 17:24:17.101: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:326 Certificate verified failed!
*May 28 17:24:17.102: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.1.11.11
*May 28 17:24:17.102: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.1.11.11:5246
*May 28 17:24:17.102: %DTLS-3-BAD_RECORD: Erroneous record received from 10.1.11.11: Malformed Certificate
*May 28 17:24:17.102: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 10.1.11.11:5246
*May 28 17:24:17.102: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*May 28 17:25:21.043: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 28 17:25:21.043: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 28 17:25:31.064: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*May 28 17:25:31.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.11.11 peer_port: 5246
*May 28 17:25:31.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 28 17:25:31.099: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 1321D73300000025B5D0) has expired. Validity period ended on 20:34:38 UTC Sep 4 2017
*May 28 17:25:31.101: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*May 28 17:25:31.101: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*May 28 17:25:31.101: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:326 Certificate verified failed!
*May 28 17:25:31.101: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.1.11.11
*May 28 17:25:31.101: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.1.11.11:5246
*May 28 17:25:31.101: %DTLS-3-BAD_RECORD: Erroneous record received from 10.1.11.11: Malformed Certificate
*May 28 17:26:36.042: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 28 17:26:36.042: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 28 17:26:46.063: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*May 28 17:26:46.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.11.11 peer_port: 5246
*May 28 17:26:46.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 28 17:26:46.100: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 1321D73300000025B5D0) has expired. Validity period ended on 20:34:38 UTC Sep 4 2017
*May 28 17:26:46.101: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*May 28 17:26:46.101: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*May 28 17:26:46.101: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:326 Certificate verified failed!
*May 28 17:26:46.101: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.1.11.11
*May 28 17:26:46.101: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.1.11.11:5246
*May 28 17:26:46.101: %DTLS-3-BAD_RECORD: Erroneous record received from 10.1.11.11: Malformed Certificate

wuhao0015 · ‎05-28-2020

这个设备要多老啊，相关设备时间改到 2017年9月4日之前再试试，最后建议升级控制器版本。

Rps-Cheers · ‎05-29-2020

看样子是证书的问题，两种方式：
1、就是楼上说的将WLC的时间修改一下，看看是否OK
2、config ap lifetime-check mic enable忽略证书检查看看。版本高一些的用config ap cert-expiry-ignore {mic|ssc} enable

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Rps-Cheers · ‎05-29-2020

可参考：https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

iliaodong · ‎05-30-2020

建议LZ说清楚是什么WLC，什么设备，不然大家也不好给意见~

dongzwan · ‎06-02-2020

用楼上说的方法，忽略掉证书过期检查试试看。