2530 trying to connect aruba central even it’s disabled
This thread has been viewed 76 times
-
1.
2530 trying to connect aruba central even it’s disabled
Posted Mar 28, 2018 08:33 AM
Hi,
I have 2530 switches running latest software (YA.16.05.0004).
I have disabled aruba-central since I don’t need it or want to use it.
sh aruba-central
Configuration and Status — Aruba Central
Server URL : None
Connected : No
Mode : NA
Last Disconnect Time : NAEven it’s disabled, switch tries to connect and logs warning message on log. There is no DNS server configured so thats why it says «unable to resolve»:
W 03/26/18 11:32:55 05220 activate: Unable to resolve the Activate server address device.arubanetworks.com.
I have also 5406Rzl modular switch with same «problem». Aruba-central disabled and still trying to connect:
W 03/23/18 10:49:24 05222 activate: AM1: Error connecting to the Activate server: Activate TLS connection error.
W 03/23/18 10:49:24 05222 activate: AM1: Error connecting to the Activate server: SSL negotiation failed.
I 03/23/18 10:49:09 05226 activate: AM1: Successfully resolved the Activate server address device.arubanetworks.com to 104.36.249.201.Is there way to disable aruba-central completly so it won’t write anything to log or is this software bug that needs to be reported?
-
2.
RE: 2530 trying to connect aruba central even it’s disabledBest Answer
Posted May 18, 2018 07:47 AM
Hi,
I think these messages are not related to Aruba Central but to Aruba Activate. Did you already disabled activate provisioning and software updates? If not hereby the commands:
show activate provision (default on)
To Disable:
activate provision disable
show activate software-update (default on)
To Disable:
activate software-update disable
The message is not an error. It’s more or less just saying it can find activate server.
Hope this will help you?
Regards, Dobias
-
3.
RE: 2530 trying to connect aruba central even it’s disabledPosted May 22, 2018 08:22 AM
I’ve been told that the 2530 switches cannot use Activate anyway since they don’t have a TPM chip. So you might as well disable Activate.
-
4.
RE: 2530 trying to connect aruba central even it’s disabledPosted May 22, 2018 09:38 AM
You’re correct I’m very sorry I overlooked your switch type. The 2540 will be supported!
-
5.
RE: 2530 trying to connect aruba central even it’s disabledPosted May 22, 2018 09:58 AM
-
6.
RE: 2530 trying to connect aruba central even it’s disabled
Posted May 24, 2018 05:46 AM
Just to clarify the TPM comment:
Aruba 2530 series switches do not have a TPM chip but can be managed by Aruba Central with 16.04 or newer firmware. The 2530 switches receive during the initial contact with Aruba Activate the certificates via EST (Enrollment over Secure Transport) which will be further used for connecting to Aruba Central.
If you don’t want the ArubaOS switches to contact these public Aruba Activate and Central servers you can disable that in the CLI with the following commands:
— aruba-central disable
— activate software-update disable
— activate provision disable -
7.
RE: 2530 trying to connect aruba central even it’s disabledPosted May 24, 2018 06:12 AM
Can the 2530 switches also use Activate for connecting to our Airwave server for ZTP with 16.04 or newer firmware?
-
8.
RE: 2530 trying to connect aruba central even it’s disabledPosted May 24, 2018 10:28 AM
I would assume that you can use Activate to ZTP to your Airwave server. But please be advised that only 2530 manufactured on or after July 2017 will be available on the Activate database
-
9.
RE: 2530 trying to connect aruba central even it’s disabledPosted May 25, 2018 08:25 AM
Hi Dobias Van Ingen,
You are right. I don’t know why I didn’t notice this. I overlooked log files it seems
I disabled now both activate services and now messages are gone from log.
As you said, there is no error. But I just want to keep my logs as clean as possible
-
10.
RE: 2530 trying to connect aruba central even it’s disabledPosted Jun 12, 2019 04:48 AM
Hi!!
I have the same problem with another Aruba switch model.
With the commands,(activate provision disable ,activate software-update disable ) the messages no longer appear.
But i have a doubt that is how often the swith tries to conncet, because checkining other switch that has enable «activate software-update» and «activate provision» the warning appears once a week, at the same time, and in which I have the problem, it appears every 5 minutes.
Thanks in advance!
-
11.
RE: 2530 trying to connect aruba central even it’s disabledPosted Feb 19, 2020 02:22 AM
353 messages! HOW TO DISABLE IT FOREVER IN ALL LOGS? I don’t want to connect anywhere to aruba central or to have certificates. How to stop it?! Thanks.
EST enrollment with server failed because of CACERTS curl error.
EST enrollment with server failed because of CACERTS curl error.
EST provision with activate server successful. Establishing connection with EST server.
Successfully resolved the Activate server address device.arubanetworks.com to 54.70.29.7.
Maximum retries limit have been reached to contact Aruba Central server.Contacting back to Activate server for reprovisioning.
Connection with EST server failed for 5 retries. Re-connecting with activate server for EST provisioning.
EST enrollment with server failed because of CACERTS curl error.
EST enrollment with server failed because of CACERTS curl error.
-
12.
RE: 2530 trying to connect aruba central even it’s disabledBest Answer
Posted Feb 19, 2020 02:55 AM
There are logs related to Aruba Central and Aruba Activate.
If you want to disable Aruba Central or you do not wish your switch managed by Aruba Central issue the below command on switch.
Aruba-central disable
To disable Aruba Activate and software updates via Activate, you can enter the following commands at the switch Config prompt:
activate provision disable
activate software-update disable
-
13.
RE: 2530 trying to connect aruba central even it’s disabledPosted Feb 22, 2021 10:33 AM
I have the same problem here at the moment since the update to the YA_16_10_0012. But the above commands are displayed as not allowed. What can I do to turn all this off with these 2530 switches anyway?
——————————
Ulrich Krapp
—————————— -
14.
RE: 2530 trying to connect aruba central even it’s disabled
Posted Feb 22, 2021 10:53 AM
Hi Ulrich, haven’t you tried to enter config mode first? I’ve found no issue in executing commands suggested above (aruba-central disable, activate provision disable and/or activate software-update disable) once into config(uration) mode.
——————————
Davide Poletto
—————————— -
15.
RE: 2530 trying to connect aruba central even it’s disabledPosted Feb 22, 2021 05:41 PM
Hi, you’ll need to be in the configuration context as mentioned previously and the command is «no activate provision enable».
——————————
Justin Noonan
——————————
est
An implementation of the Enrollment over Secure Transport (EST) certificate
enrollment protocol as defined by RFC7030.
The implementation provides:
- An EST client library;
- An EST client command line utility using the client library; and
- An EST server which can be used for testing and development purposes.
The implementation is intended to be mostly feature-complete, including
support for:
- The optional
/csrattrsand/serverkeygenoperations, with support for
server-generated private keys returned with or without additional
encryption - The optional additional path segment
- Optional HTTP-based client authentication on top of certificate-based
TLS authentication
In addition, a non-standard operation is implemented enabling EST-like
enrollment using the privacy preserving protocol for distributing credentials
for keys on a Trusted Platform Module (TPM) 2.0 device, as described in Part 1,
section 24 of the Trusted Platform Module 2.0 Library specification.
Installation
go install github.com/globalsign/est/cmd/estserver@latest
go install github.com/globalsign/est/cmd/estclient@latest
Quickstart
Starting the server
When started with no configuration file, the EST server listens on
localhost:8443 and generates a random, transient Certificate Authority (CA)
which can be used for testing:
user@host:$ estserver &
[1] 62405
Refer to the documentation for more details on using a configuration file.
Getting the CA certificates
Because we’re using a random, transient CA, we must retrieve the CA certificates
in insecure mode to establish an explicit trust anchor for subsequent EST
operations. Since we only need the root CA certificate to establish a trust
anchor, we use the -rootout flag:
user@host:$ estclient cacerts -server localhost:8443 -insecure -rootout -out anchor.pem
We will also obtain and store the full CA certificates chain, since we’ll use
it shortly to demonstrate reenrollment. Since we now have an explicit trust
anchor, we can use it instead of the -insecure option. Since we’re storing
the full chain, we don’t use the -rootout option here:
user@host:$ estclient cacerts -server localhost:8443 -explicit anchor.pem -out cacerts.pem
Enrolling with an existing private key
First we generate a new private key, here using openssl:
user@host:$ openssl genrsa 4096 > key.pem
Generating RSA private key, 4096 bit long modulus
.................+++
.............+++
e is 65537 (0x10001)
Then we generate a PKCS#10 certificate signing request, and enroll using the
explicit trust anchor we previously obtained:
user@host:$ estclient csr -key key.pem -cn 'John Doe' -emails 'john@doe.com' -out csr.pem
user@host:$ estclient enroll -server localhost:8443 -explicit anchor.pem -csr csr.pem -out cert.pem
Using a configuration file, we can enroll with a private key resident on a
hardware module, such as a hardware security module (HSM) or a Trusted Platform
Module 2.0 (TPM) device. Refer to the documentation for more details.
Enrolling with a server-generated private key
If we’re unable or unwilling to create our own private key, the EST server can
generate one for us, and return it along with our certificate:
user@host:$ estclient serverkeygen -server localhost:8443 -explicit anchor.pem -cn 'Jane Doe' -out cert.pem -keyout key.pem
Note that we can omit the -csr option when enrolling and the EST client can
dynamically generate a CSR for us using fields passed at the command line and
the private key we specified, or an automatically-generated ephemeral private
key if we are requesting server-side private key generation.
Reenrolling
Whichever way we generated our private key, we can now use it to reenroll.
To reenroll a previously obtained certificate, we must use it to authenticate
ourselves during the TLS handshake with the EST server. Since our random,
transient CA uses an intermediate CA certificate, we must provide a chain of
certificates to the EST client, or the TLS handshake may fail.
Although providing the root CA certificate is optional for a TLS handshake,
the simplest option is to provide the certificate we received along with the
full chain of CA certificates which we previously obtained. To do this, we
can just append those CA certificates to the certificate we received, and
use that chain to reenroll:
user@host:$ cat cert.pem cacerts.pem >> certs.pem
user@host:$ estclient reenroll -server localhost:8443 -explicit anchor.pem -key key.pem -certs certs.pem -out newcert.pem
Note that when we omit the -csr option when reenrolling, the EST client
automatically generates a CSR for us by copying the subject field and subject
alternative name extension from the certificate we’re renewing.
Я пытаюсь отправить запрос GET с помощью PHP curl, передав сертификат
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, True);
curl_setopt($ch, CURLOPT_POST, True);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_VERBOSE, true);
$pemFile = tmpfile();
fwrite($pemFile, "demo-cert.p12");//the path for the pem file
$tempPemPath = stream_get_meta_data($pemFile);
$tempPemPath = $tempPemPath['uri'];
curl_setopt($ch, CURLOPT_SSLCERT, $tempPemPath);
$result = curl_exec($ch);
if (!$result)
{
echo "Curl Error: " . curl_error($ch);
}
else
{
echo "Success: ". $result;
}
Но не знаю, как передать «пароль», поэтому получаю эту ошибку
Curl Error: could not load PEM client certificate, OpenSSL error error:0906D06C:PEM
routines:PEM_read_bio:no start line, (no key found, wrong pass phrase, or wrong file format?)
[Обновить]
Изменен demo-cert.p12 на demo-cert.pem, который существует с файлом php, но все еще вызывает ту же проблему, потому что пароль не отправлен. Папка сертификата содержит еще 2 файла: demo -comdated.pem и demo-key.pem, но сначала необходимо отправить пароль.
[update2]
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, True);
curl_setopt($ch, CURLOPT_POST, True);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_SSLCERT, 'demo-key.pem');
curl_setopt($ch, CURLOPT_SSLKEY, 'demo-cert.pem');
curl_setopt($ch, CURLOPT_SSLCERTPASSWD, 'pass');
curl_setopt($ch, CURLOPT_SSLKEYPASSWD, 'pass');
Эти файлы хранятся вместе с файлом PHP в том же каталоге. По-прежнему получаю ту же ошибку
[обновление 3]
Как отредактировать код для отправки сертификата сервера?
Curl —show-error —verbose —cacert server-cert.pem —cert cert2.pem
curl_setopt($ch, CURLOPT_SSLCERT, 'demo-cert.pem');
curl_setopt($ch, CURLOPT_SSLKEY, 'demo-key.pem');
Результат:
Success: SOAP-ENV:ClientData required for operation
Не возвращаются данные XML, как при открытии того же URL-адреса в браузере. Что-то не так?
Are you facing a curl error 77 problem with the SSL CA cert while curling an SSL website?
One of the main reasons for this error is broken or missing SSL chain certificate files on the server.
At Bobcares, we help our customers to fix similar SSL errors as part of our Server Management Services.
Today, let’s discuss the details on how to fix this error.
What is curl error 77 problem with the SSL CA cert?
Curl error 77 error is a server-side error. This error indicated that the chain certificate files are missing or “broken”. Usually, this error happens simply by outdated SSL certificate(s) for cURL installed on the server. Also, the wrong or incomplete configuration settings on the server can trigger the error on the website.
The error looks like,
Frequently, some website’s PHP scripts may fail with curl error 77 in Plesk servers. Then the website shows the following error:
cURL error (77): Problem with the SSL CA cert (path? access rights?)cURL error (77): Problem with the SSL CA cert (path? access rights?)This error occurs when PHP cURL uses an outdated set of root certificates to verify server certificates.
How to fix curl error 77 problem with the SSL CA cert
Now, let’s see how our Support Engineers fix the curl error 77 for our customers.
Curling an SSL website can result in an error curl: (77) Problem with the SSL CA cert (path? access rights?)on certain servers.
This error is the result of SSL chain certificate files in the PKI directory being corrupted or missed.
Therefore, we make sure the files /etc/pki/tls/certs/ca-bundle.crt and /etc/pki/tls/certs/ca-bundle.trust.crt exist on the server. If they do not exist, we set up them for our customers.
Sometimes, the error gets resolve by removing and reinstalling the ca certificate.
In a CentOS server, we use the below commands to remove ca-bundle and to install a ca-certificate.
rm -f /etc/ssl/certs/ca-bundle.crt
yum reinstall -y ca-certificates
In Plesk servers, adding the following code to %plesk_dir%adminconfpanel.ini solve the error. By default,
%plesk_dir% is C:Program Files (x86)Plesk
[php]
curlCertificatesUrl="http://curl.haxx.se/ca/cacert.pemInsufficient user permission
Sometimes the curl requests to https:// addresses stop working for cPanel users. However, the root user can still run the curl -I -v https://google.comcommand without any issue.
The problem is due to insufficient permission of the user. The user who is trying to accesscurl -I -v https://google.com doesn’t have enough permission to access /etc/pki directory. This due to the user only has jailed ssh access.
So, our Support Engineers fix the error by granting full access to the user.
Other common SSL certificate problem
Similarly, the error SSL certificate problem: Unable to get local issuer certificate can occur when a self-signed certificate cannot be verified or it shows that the root certificates on the system are not working correctly.
Also, It is important to note that this applies to the system sending the CURL request, and NOT the server receiving the request.
To fix the error,
1. Initially, download cacert.pem. from https://curl.haxx.se/ca/cacert.pem
2. Add the following line to php.ini:
curl.cainfo="/path/to/downloaded/cacert.pem"Furthermore, if the server is shared hosting, add the above value to .user.ini file in the public_html folder.
3. Restart PHP
Now, CURL is able to read HTTPS URL without any error.
[Need assistance to fix curl error 77?- We’re available 24/7.]
Conclusion
In short, the curl error 77 problem with the SSL CA cert occurs when SSL chain certificate files are missing or broken. Today, we saw how our Support Engineers fixed this error.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
GET STARTED
var google_conversion_label = «owonCMyG5nEQ0aD71QM»;