Field Notice: FN74166 - Expired Device Certificate Causes Cisco SD-WAN Umbrella DNS Connections to Fail - Software Upgrade Recommended

Available Languages

Updated:October 21, 2024
Document ID:FN74166

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

High
Impact Rating:
High
First Published:
2024-Jul-30
Last Published:
2024-Oct-21
Revision:
1.2
Cisco Bug IDs:

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected


Affected Software Product Affected Release Affected Release Number Comments
IOS XE SD-WAN Software 17 17 17: Affected releases: 17.3.x, 17.4.x, 17.5.x, 17.6.x, 17.7.x, 17.8.x, 17.9.1, 17.9.2, 17.9.3, 17.9.4, 17.9.5, 17.10.x, 17.11.x, 17.12.1, 17.12.2, 17.12.3, 17.12.4, 17.13.x, 17.14.x, 17.15.1

Defect Information


Defect IDHeadline
CSCwi43360Cert expiry on Sept 2024 for DNS Security registration to Umbrella cloud
CSCwm73365SSL handshake fails despite umbrella_root_ca.ca with latest certificate being present on the device

Problem Description


The digital certificate that is used by Cisco Catalyst SD-WAN Routers to register with Cisco Umbrella DNS expired on September 30, 2024. Cisco SD-WAN Routers with the expired certificate will fail to register with the Cisco Umbrella DNS service.


Background


The Cisco Umbrella DNS security solution uses digital certificates during the SSL handshake to establish secure HTTPS connections for device registration. The current SSL certificate on affected Cisco SD-WAN Routers expired on September 30, 2024.

This problem affects all Cisco IOS-XE Software-based routers when they are deployed in autonomous and controller mode and are configured to use the Cisco Umbrella API keys for registration, including the following:

  • Aggregation Services Routers (ASRs)
  • Catalyst 8000 Routers
  • Catalyst 8000v Edge
  • Catalyst IR Rugged Series Routers
  • CSR 1000v Cloud Services Routers
  • Integrated Services Routers (ISRs)
  • Integrated Services Virtual Routers (ISRVs)

Note: This issue does not affect customers who are using the Token-based authentication for the Cisco Umbrella DNS registration. This issue does not impact Cisco Umbrella Secure Internet Gateway (SIG) Tunnels.


Problem Symptom


Affected Cisco Catalyst SD-WAN devices with expired Cisco Umbrella root CA certificates cannot establish secure connections with the Cisco Umbrella DNS for device registration. Because the device is not registered with Cisco Umbrella DNS Service, user DNS requests are not redirected to the Cisco Umbrella domain server by Cisco Catalyst SD-WAN Edge devices for DNS Security policy enforcement. The DNS request from the users behind Cisco Catalyst SD-WAN Edge devices will not be dropped and will be serviced by the DNS domain server that is configured on the devices.

Note: Cisco Catalyst SD-WAN Edge devices that are configured for Cisco Umbrella DNS Security and already in operation will not be impacted until reboot. The expired certificate is used only during device registration with the Cisco Umbrella DNS service, not for individual DNS requests. Device registration occurs when the Cisco Umbrella DNS service is initially configured or when the configured device is rebooted.


Workaround/Solution


Solution

Affected devices must have the affected certificate replaced with a new Umbrella root certificate that is valid until the year 2035. Customers who do not currently use Cisco Umbrella DNS, but who expect to deploy it in the future can replace the affected certificate by upgrading the Cisco Catalyst SD-WAN Router software to a release that contains the new certificate. The new certificate is installed automatically during the upgrade.

For affected devices, the following X1 certificate must be downloaded and installed. The installation method depends on the software release that is installed on the affected device.

-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

This certificate can also be downloaded from https://letsencrypt.org/certs/isrgrootx1.pem

Complete the following installation instructions that correspond to the software release currently installed on the affected device.

Cisco Devices That Are Running Cisco IOS XE Software Release 17.5.x or Earlier in Controller Mode

  1. Download the new unexpired certificate from the following website and place it on a device that has access to the affected router(s) in the SD-WAN overlay: 
    https://letsencrypt.org/certs/isrgrootx1.pem
  2. Enter the Linux scp command or similar mechanism to perform a secure file copy from the download device onto each affected router. For example: 
    scp ./isrgrootx1.pem admin@<EdgeIP>:trustidrootx3_ca.ca

    Substitute <EdgeIP> with the IP address of the affected router.

  3. Once the file copy completes, reload the router to complete the installation process.

Alternatively, the new ISRG Root X1 rooted certificate can be downloaded to Cisco vManage and copied to each affected router. It is not possible to copy the new certificate directly into the router bootflash with this method. Instead, the new certificate must be copied into a temporary directory first and then copied into the final bootflash location while logged into the router.

  1. Log in to Cisco vManage and access vshell. 
    vManage# vshell
    vManage:~$ pwd
    /home/admin
  2. Download the new unexpired certificate from letsencrypt.org. 
    wget https://letsencrypt.org/certs/isrgrootx1.pem --no-check-certificate
  3. Enter the Linux scp command to perform a secure file copy from Cisco vManage into a temporary location on each affected router. For example: 
    scp -P 830 isrgrootx1.pem admin@<EdgeIP>:/bootflash/sdwan/trustidrootx3_ca.ca

    Substitute <EdgeIP> with the IP address of the affected router.

  4. Log in to the affected router.

  5. Enter the copy CLI command to copy the new certificate from the temporary location into bootflash.

    router# copy bootflash:/sdwan/trustidrootx3_ca.ca bootflash:
         Destination filename [trustidrootx3_ca.ca]?

  6. Enter the delete CLI command to remove the certificate file from the temporary location.

    router# delete bootflash:/sdwan/trustidrootx3_ca.ca
  7. Reload the router to complete the certificate installation process.

Cisco Devices That Are Running Cisco IOS XE Software Release 17.6.x to 17.8.x in Controller Mode

  1. Download the new unexpired certificate from the following website and place it on a device that has access to the affected router(s) in the SD-WAN overlay: 
    https://letsencrypt.org/certs/isrgrootx1.pem
  2. Enter the Linux scp command or similar mechanism to perform a secure file copy from the download device onto each affected router. For example: 
    scp ./isrgrootx1.pem admin@<EdgeIP>:trustidrootx3_ca_092024.ca

    Substitute <EdgeIP> with the IP address of the affected router.

  3. Once the file copy completes, reload the router to complete the installation process.

Alternatively, the new ISRG Root X1 rooted certificate can be downloaded to Cisco vManage and copied to each affected router. It is not possible to copy the new certificate directly into the router bootflash with this method. Instead, the new certificate must be copied into a temporary directory first and then copied into the final bootflash location while logged into the router.

  1. Log in to Cisco vManage and access vshell. 
    vManage# vshell
    vManage:~$ pwd
    /home/admin
  2. Download the new unexpired certificate from letsencrypt.org. 
    wget https://letsencrypt.org/certs/isrgrootx1.pem --no-check-certificate
  3. Enter the Linux scp command to perform a secure file copy from Cisco vManage into a temporary location on each affected router. For example: 
    scp -P 830 isrgrootx1.pem admin@<EdgeIP>:/bootflash/sdwan/trustidrootx3_ca_092024.ca

    Substitute <EdgeIP> with the IP address of the affected router.

  4. Log in to the affected router.

  5. Enter the copy CLI command to copy the new certificate from the temporary location into bootflash.

    router# copy bootflash:/sdwan/trustidrootx3_ca_092024.ca bootflash:
         Destination filename [trustidrootx3_ca_092024.ca]?

  6. Enter the delete CLI command to remove the certificate file from the temporary location.

    router# delete bootflash:/sdwan/trustidrootx3_ca_092024.ca
  7. Reload the router to complete the certificate installation process.

Cisco Devices That Are Running Cisco IOS XE Software Release 17.9.x to 17.12.x in Controller Mode

To automate the process follow the instructions in the document Update DNS Umbrella Certificate to Work in October 2024 or perform the following steps manually:

  1. Log in to Cisco vManage.
  2. Choose Administration > Settings > Umbrella DNS Certificate.
  3. In the Umbrella Root Certificate window, delete the old certificate text and paste in the new certificate. Alternatively, upload the certificate from a file by choosing the Select a File option.
  4. Click Save. Cisco vManage will now push the new certificate file to each affected device.
  5. After the file has been pushed to each device, a copy must be created on each device to ensure that the new certificate is used for all subsequent registration requests.  
  6. Log in to each affected device.
  7. Use the copy CLI command to copy the file that was pushed to the new Umbrella digital certificate file by Cisco vManage, as shown in the following example: 
    router# copy bootflash:umbrella_root_ca_1.ca bootflash:trustidrootx3_ca_092024.ca

Cisco Devices That Are Running Cisco IOS XE Software Release 17.13.x or later in Controller Mode

To automate the process follow the instructions in the document Update DNS Umbrella Certificate to Work in October 2024 or perform the following steps manually:

  1. Log in to Cisco vManage.
  2. Choose Administration > Settings.
  3. Choose Cloud Credentials.
  4. Choose Umbrella DNS Certificate.
  5. Paste the new certificate in the edit window. Alternatively, upload the certificate from a file by choosing the Select a File option.
  6. Click Save. Cisco vManage will now push the new certificate file to each affected device.
  7. After the file has been pushed to each device, a copy must be created on each device to ensure that the new certificate is used for all subsequent registration requests.  
  8. Log in to each affected device.
  9. Use the copy CLI command to copy the file that was pushed to the new Umbrella digital certificate file by Cisco vManage, as shown in the following example: 
    router# copy bootflash:umbrella_root_ca_1.ca bootflash:trustidrootx3_ca_092024.ca

   

 

Cisco Devices That Are Running Any Affected Release of Cisco IOS XE Software in Autonomous Mode

      1. Download the new unexpired certificate from the following web site: 
        https://letsencrypt.org/certs/isrgrootx1.pem
      2. Log in to the affected device.

      3. Configure a Trustpoint: If one is not already present, create a trustpoint that will be used to store the certificate.

        Router# configure terminal
        Router(config)# crypto pki trustpoint MY_TRUSTPOINT_NAME
        Router(config-trustpoint)# enrollment terminal
        Router(config-trustpoint)# revocation-check none
        Router(config-trustpoint)# exit
        Router(config)#

        Replace MY_TRUSTPOINT_NAME with the name you want to assign to your trustpoint.

      4. Import the Certificate: Use the crypto pki authenticate CLI config command to import the certificate by pasting in the text from the certificate file downloaded in step 1. 
        Router(config)# crypto pki authenticate MY_TRUSTPOINT_NAME

        Enter the base 64 encoded CA certificate.
        End with a blank line or the word "quit" on a line by itself
        [paste certificate text here]
        Certificate has the following attributes:
               Fingerprint MD5: 0CD2F9E0 DA1773E9 ED864DA5 E370E74E 
              Fingerprint SHA1: CABD2A79 A1076A31 F21D2536 35CB039D 4329A5E8 
        % Do you accept this certificate? [yes/no]: yes
        Trustpoint CA certificate accepted.
        % Certificate successfully imported 
        Router(config)#exit
        Router#

Revision History


VersionDescriptionSectionDate
1.2Updated Solution section to include new options to automate/streamline the process for select software releases. Updated Problem Description and Problem Symptom sections to reflect symptoms observed after the certificate expired on September 30, 2024.Problem Description, Problem Symptom, Workaround/Solution2024-OCT-21
1.1Updated the solution instructions to avoid bug number CSCwm73365.Workaround/Solution2024-OCT-09
1.0Initial Release2024-JUL-30

For More Information

For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:

Receive Email Notification About New Field Notices

To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products