THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|
IOS XE SD-WAN Software | 17 | 17 | 17: Affected releases: 17.3.x, 17.4.x, 17.5.x, 17.6.x, 17.7.x, 17.8.x, 17.9.1, 17.9.2, 17.9.3, 17.9.4, 17.9.5, 17.10.x, 17.11.x, 17.12.1, 17.12.2, 17.12.3, 17.12.4, 17.13.x, 17.14.x, 17.15.1 |
Defect ID | Headline |
CSCwi43360 | Cert expiry on Sept 2024 for DNS Security registration to Umbrella cloud |
CSCwm73365 | SSL handshake fails despite umbrella_root_ca.ca with latest certificate being present on the device |
The digital certificate that is used by Cisco Catalyst SD-WAN Routers to register with Cisco Umbrella DNS expired on September 30, 2024. Cisco SD-WAN Routers with the expired certificate will fail to register with the Cisco Umbrella DNS service.
The Cisco Umbrella DNS security solution uses digital certificates during the SSL handshake to establish secure HTTPS connections for device registration. The current SSL certificate on affected Cisco SD-WAN Routers expired on September 30, 2024.
This problem affects all Cisco IOS-XE Software-based routers when they are deployed in autonomous and controller mode and are configured to use the Cisco Umbrella API keys for registration, including the following:
Note: This issue does not affect customers who are using the Token-based authentication for the Cisco Umbrella DNS registration. This issue does not impact Cisco Umbrella Secure Internet Gateway (SIG) Tunnels.
Affected Cisco Catalyst SD-WAN devices with expired Cisco Umbrella root CA certificates cannot establish secure connections with the Cisco Umbrella DNS for device registration. Because the device is not registered with Cisco Umbrella DNS Service, user DNS requests are not redirected to the Cisco Umbrella domain server by Cisco Catalyst SD-WAN Edge devices for DNS Security policy enforcement. The DNS request from the users behind Cisco Catalyst SD-WAN Edge devices will not be dropped and will be serviced by the DNS domain server that is configured on the devices.
Note: Cisco Catalyst SD-WAN Edge devices that are configured for Cisco Umbrella DNS Security and already in operation will not be impacted until reboot. The expired certificate is used only during device registration with the Cisco Umbrella DNS service, not for individual DNS requests. Device registration occurs when the Cisco Umbrella DNS service is initially configured or when the configured device is rebooted.
Solution
Affected devices must have the affected certificate replaced with a new Umbrella root certificate that is valid until the year 2035. Customers who do not currently use Cisco Umbrella DNS, but who expect to deploy it in the future can replace the affected certificate by upgrading the Cisco Catalyst SD-WAN Router software to a release that contains the new certificate. The new certificate is installed automatically during the upgrade.
For affected devices, the following X1 certificate must be downloaded and installed. The installation method depends on the software release that is installed on the affected device.
-----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo //fb4hVC1CLQJ13hef4Y53CI rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- |
This certificate can also be downloaded from https://letsencrypt.org/certs/isrgrootx1.pem
Complete the following installation instructions that correspond to the software release currently installed on the affected device.
https://letsencrypt.org/certs/isrgrootx1.pem
scp ./isrgrootx1.pem admin@<EdgeIP>:trustidrootx3_ca.ca
Substitute <EdgeIP> with the IP address of the affected router.
Alternatively, the new ISRG Root X1 rooted certificate can be downloaded to Cisco vManage and copied to each affected router. It is not possible to copy the new certificate directly into the router bootflash with this method. Instead, the new certificate must be copied into a temporary directory first and then copied into the final bootflash location while logged into the router.
vManage# vshell
vManage:~$ pwd
/home/admin
wget https://letsencrypt.org/certs/isrgrootx1.pem --no-check-certificate
scp -P 830 isrgrootx1.pem admin@<EdgeIP>:/bootflash/sdwan/trustidrootx3_ca.ca
Substitute <EdgeIP> with the IP address of the affected router.
Log in to the affected router.
Enter the copy CLI command to copy the new certificate from the temporary location into bootflash.
router# copy bootflash:/sdwan/trustidrootx3_ca.ca bootflash:
Destination filename [trustidrootx3_ca.ca]?
Enter the delete CLI command to remove the certificate file from the temporary location.
router# delete bootflash:/sdwan/trustidrootx3_ca.ca
https://letsencrypt.org/certs/isrgrootx1.pem
scp ./isrgrootx1.pem admin@<EdgeIP>:trustidrootx3_ca_092024.ca
Substitute <EdgeIP> with the IP address of the affected router.
Alternatively, the new ISRG Root X1 rooted certificate can be downloaded to Cisco vManage and copied to each affected router. It is not possible to copy the new certificate directly into the router bootflash with this method. Instead, the new certificate must be copied into a temporary directory first and then copied into the final bootflash location while logged into the router.
vManage# vshell
vManage:~$ pwd
/home/admin
wget https://letsencrypt.org/certs/isrgrootx1.pem --no-check-certificate
scp -P 830 isrgrootx1.pem admin@<EdgeIP>:/bootflash/sdwan/trustidrootx3_ca_092024.ca
Substitute <EdgeIP> with the IP address of the affected router.
Log in to the affected router.
Enter the copy CLI command to copy the new certificate from the temporary location into bootflash.
router# copy bootflash:/sdwan/trustidrootx3_ca_092024.ca bootflash:
Destination filename [trustidrootx3_ca_092024.ca]?
Enter the delete CLI command to remove the certificate file from the temporary location.
router# delete bootflash:/sdwan/trustidrootx3_ca_092024.ca
To automate the process follow the instructions in the document Update DNS Umbrella Certificate to Work in October 2024 or perform the following steps manually:
router# copy bootflash:umbrella_root_ca_1.ca bootflash:trustidrootx3_ca_092024.ca
To automate the process follow the instructions in the document Update DNS Umbrella Certificate to Work in October 2024 or perform the following steps manually:
router# copy bootflash:umbrella_root_ca_1.ca bootflash:trustidrootx3_ca_092024.ca
https://letsencrypt.org/certs/isrgrootx1.pem
Configure a Trustpoint: If one is not already present, create a trustpoint that will be used to store the certificate.
Router# configure terminal
Router(config)# crypto pki trustpoint MY_TRUSTPOINT_NAME
Router(config-trustpoint)# enrollment terminal
Router(config-trustpoint)# revocation-check none
Router(config-trustpoint)# exit
Router(config)#
Replace MY_TRUSTPOINT_NAME with the name you want to assign to your trustpoint.
Router(config)# crypto pki authenticate MY_TRUSTPOINT_NAME
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
[paste certificate text here]
Certificate has the following attributes:
Fingerprint MD5: 0CD2F9E0 DA1773E9 ED864DA5 E370E74E
Fingerprint SHA1: CABD2A79 A1076A31 F21D2536 35CB039D 4329A5E8
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Router(config)#exit
Router#
Version | Description | Section | Date |
1.2 | Updated Solution section to include new options to automate/streamline the process for select software releases. Updated Problem Description and Problem Symptom sections to reflect symptoms observed after the certificate expired on September 30, 2024. | Problem Description, Problem Symptom, Workaround/Solution | 2024-OCT-21 |
1.1 | Updated the solution instructions to avoid bug number CSCwm73365. | Workaround/Solution | 2024-OCT-09 |
1.0 | Initial Release | — | 2024-JUL-30 |
For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:
To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.
Unleash the Power of TAC's Virtual Assistance