I took the CSR of the WebAuth certificate from the WLC controller to be able to generate the signed certificate. Then, I add the root certificate which can be found on the site: https://letsencrypt.org/certs/isrgrootx1.pem.txt
after the intermediate certificate. I have my final certificate that contains:
signed certificate
intermediate certificate
Root certificate
Impossible to put it on the cisco WLS controller. by looking more closely at the Root certificate provided by Let’s Encrypt to an issuer and a different subject from the intermediate certificate.
The intermediate certificate:
ISSUER: CN = DST Root CA X3,O = Digital Signature Trust Co
SUBJECT: CN= Let’s Encrypt Authority X3,0 = Let’s Encrypt, C = US
The Root certificate provided by Let’s Encrypt:
ISSUER: CN = ISRG Root X1,0 = Internet Security Research Group, C = US
SUBJECT: CN = ISRG Root X1.0 = Internet Security Research Group, C = US
How can I find the right Root certificate ( CN = DST Root CA X3,O = Digital Signature Trust Co) so I can push it on the controller?
Impossible why? any error?. Letsencrypt Intermediate certificates are cross signed so DST Root CA X3 or ISRG Root X1 root certificates should complete the chain. Are you sure you need to include the root certificate?. Also, LE certificates are valid from 90 days so you should repeat the same process every 60-90 days... just in case you didn't know that
I downloaded TrustID X3 which is fine: CN = DST Root CA X3, O = Digital Signature Trust Co. I add it after my intermediate certificate.
But I don’t understand, the WLS controller returning “certificate is not yet valid”. If you have any idea, I’m a taker?
@sebasti1, sorry but I’ve no idea why your WLS controller returns “certificate is not yet valid”, I’ve never used it. Maybe another colleagues have some experience on Cisco products and could help you or maybe you could post this question on Cisco forums, you should get more help there.
"certificate is not yet valid"? Is that exactly what it says, word for word? It sounds like it's rejecting the certificate because it thinks the certificate is a time traveler from the future.
(Certificates have both an expiration date and a date when they start to be valid.)
Let's Encrypt certificates are valid starting 1 hour before they were issued. Can you check if the thing's clock is correct? Does it think it's yesterday? Or the year 2000 or something?
I managed to put the Let’s Encrypt certificate on the WLC controller. The hot spotin my hotel is now secure. But I still have a problem with Google Chrome that doesn’t send me directly to the hotel’s hotspot page. Whereas when I open Firefox or Internet Explorer they send me directly to the hotspot page of the Hotel.
Would you have a solution for Chrome to redirect me directly to the Hotel’s Hotspot page?
@sebasti1, maybe you could try running Wireshark on your device in order to compare what the various browsers are doing on your network, or to compare what your network is doing with what other networks are doing.
