AP image integrity check FAILED

#说明

该Blog是针对于AireOS下的AP在更新image的时候,出现的问题,在其他较老的AP遇到类似的问题时,可能同样适用!

#型号

  • WLC5508
  • AP1602
  • software:from 8.5.182 to 8.3.143

#涉及操作

将WLC5508从软件版本8.5.182降级到8.3.143;

通过predownload方式下载AP镜像失败;

重启WLC,AP再次注册WLC同步镜像失败;

#关键错误

AP在从WLC同步完image,解压的过程中报错:

extracting ap1g2-k9w8-mx.153-3.JD16/img_sign_rel.cert (1375 bytes)
extracting info.ver (291 bytes)!
*Oct 25 11:00:00.681: Currently running a Release Image

*Oct 25 11:00:00.777: Using SHA-2 signed certificate for image signing validation.
*Oct 25 11:00:00.861: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.  The certificate (SN: 4E78A210000000000007) has expired.    Validity period ended on 21:43:46 UTC Dec 4 2022
*Oct 25 11:00:00.861: Image signing certificate validation failed (1A).

*Oct 25 11:00:00.861: Failed to validate signature
*Oct 25 11:00:00.861: Digital Signature Failed Validation (flash:/update/ap1g2-k9w8-mx.153-3.JD16/final_hash)
*Oct 25 11:00:00.861: AP image integrity check FAILED
Aborting Image Download


*Oct 25 11:00:02.673: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:169 Pkt too old last_seq_num : 10109,Received sequence num: 1 distance: -10108

比较关键的信息可以看到:

  • 证书链验证失败
  • 证书(SN:4E78A210000000000007)已过期。 有效期截止于 2022 年 12 月 4 日 21:43:46 UTC
  • 验证签名失败
  • AP 镜像完整性检查失败

#解决方法

通过基本信息查看,WLC的系统时间为2023年,显然是超过了有效期的范围,而LAP同步WLC的时间,也是2023年,那么我们需要将WLC的时间调整到有效期之前。

(Cisco Controller) >config time manual 10/10/22 10:10:10


(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >show time 

Time............................................. Mon Oct 10 10:10:12 2022

Timezone delta................................... 0:0
Timezone location................................ 

NTP Servers
    NTP Polling Interval.........................     600

     Index     NTP Key Index                  NTP Server                Status          NTP Msg Auth Status
    -------  ----------------------------------------------------------------------------------------------

调整之后查看AP的时间同步,再次下载镜像解压完成,完成注册和镜像同步。

APa0ec.xxx1.xxx5#sho clock
*10:25:18.203 UTC Mon Oct 10 2022
APa0ec.xxx1.xxx5#

extracting ap1g2-k9w8-mx.153-3.JD16/html/level/15/officeExtendapEvent.shtml.gz (988 bytes)!
extracting ap1g2-k9w8-mx.153-3.JD16/img_sign_rel.cert (1375 bytes)
extracting info.ver (291 bytes)!
*Oct 10 10:14:58.085: Currently running a Release Image

*Oct 10 10:14:58.181: Using SHA-2 signed certificate for image signing validation.
*Oct 10 10:14:58.265: Image signing certificate validation succeeded.

*Oct 10 10:14:59.941: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:169 Pkt too old last_seq_num : 10109,Received sequence num: 1 distance: -10108
Deleting current version: flash:/ap1g2-k9w8-mx.153-3.JF15...
Set booting path to recovery image: ''...
*Oct 10 10:15:06.901: AP image integrity check PASSED

done.
New software image installed in flash:/ap1g2-k9w8-mx.153-3.JD16
Configuring system to use new image...done.
archive download: takes 229 seconds

ReIniting the reap config file flash:/lwapp_reap.cfg
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
Writing out the event log to flash:/event.log ...

*Oct 10 10:15:24.793: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.123.123.5:5246
*Oct 10 10:15:25.701:  Image upgrade successfully, system is now reloading
*Oct 10 10:15:25.773: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 11
*Oct 10 10:15:25.773: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 11
*Oct 10 10:15:25.801: %SYS-5-RELOAD: Reload requested by capwap image download proc. Reload Reason: NEW IMAGE DOWNLOAD.
*Oct 10 10:15:26.061: %LWAPP-5-CHANGED: CAPWAP changed state to DOWN

#参考文档

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

posted @ 2023-10-25 11:55  剪刀石头布Cheers  阅读(260)  评论(1编辑  收藏  举报