Troubleshooting for EST

Overview

This section helps you troubleshoot the common problems that you might encounter when using EST functionalities of CA like setting addition, enrollment, obtaining, and re-enrollment.

Supported Web Browsers

Browser Version Notes
Firefox Till latest (Version 84.0.4147.135) NA
Chrome Till latest (Version 80.0) NA
IE Limited support in 9, Full support from 10+ No support for IE9 post-AppViewX Version 11.0
Safari Till latest (Windows - Version 5.1.7,

macOS - Version 13.1.2)

 From AppViewX Version 11.1
Opera Till latest (Version 70) From AppViewX Version 11.1

Supported Devices

Device OS Resolution
Desktop Windows 1024 X 768 onwards, 1366x768, 1920x1080, Higher
Desktop Linux 1024 X 768 onwards, 1366x768, 1920x1080, Higher
Desktop Mac 1024 X 768 onwards, 1366x768, 1920x1080, Higher
iPad iOS 1024 X 768

Supported EST Clients

  • Cisco Routers

  • Libest client

Issues in EST setting addition and check the settings

Issues in EST setting Addition

  1. Log in to AppViewX application with valid credentials.
  2. From the left pane, expand the menu and click CERT+.
    The Server Certificate page is displayed.
  3. From the left pane, expand Administration, select Auto Enrollment.
  4. Click EST.
    The Auto Enrollment EST page is displayed.
  5. Click Add.
  6. After settings are added, click Check to see the validity.

Error Messages

Error Message Possible Cause Possible Solution
Agent name already added. Please enter a different name.. An EST setting with the same name already exists on EST Page. Check the EST Setting name, it should be unique.
  1. This field should not be null or empty.
  2. Mandatory Field(s) - <Field name> is/are empty.
 Some of the mandatory fields might be missing or might be invalid. Add all the valid information in the mandatory section.
EST setting is invalid - Agent ip is not reachable The EST agent IP and port provided might not be accessible from the AppViewX node. Please check the IP port provided so that it can be pingable from the AppViewX node.
EST setting is invalid - Certificate does not belong to the selected CA. The issuer certificate provided does not belong to the CA which is selected. Please check whether the selected issuer certificate belongs to the CA which was selected earlier.

Issues in auto-enrolling certificate via EST

Note: From the client machine hit the auto-enroll call using AppViewX EST server URL which is displayed on the EST setting page.
Error Message Possible Cause Possible Solution
No agent settings found for the provided agent ip address

(OR)

Agent settings is not found

 The provided agent IP or agent name is not found in the EST settings. Check for the agent IP and agent name in the client machine.
Client certificate authentication failed since no client certificate content is obtained The client certificate is not set in the enroll request from the client machine
  1. Check whether the client certificate and key are set in the enroll certificate request.
  2. If the provided certificate is pfx or pkcs12 certificate check whether the provided password is correct.
Provided client certificate is not valid. The provided client certificate might be Expired or Revoked. Provide a Valid certificate in the enrollment request.
HTTP authentication failed due to invalid parameters provided. The HTTP authentication parameters provided must be invalid.
  1. Check for password in BASIC authentication.
  2. Check for nonce and other parameters in DIGEST parameters.
CA certificate is not found The issuer certificate of the selected "server certificate" might have been deleted or the server certificate has been deleted. Check for the issuer certificate and its issuer certificate available in the inventory.
Unable to establish connection with EST server. There might be an issue with reaching the AppViewX EST agent IP from the client. Check whether the EST agent IP is reachable from the client machine.

Check whether the EST agent IP is open and can be accessible.
Group policy does not have the given hash function The requested hash function in the CSR parameters may not be available in the selected policy.
  1. Navigate to the policy page.
  2. Select the CA used in the EST setting.
  3. In the hash function field include the requested and missing hash functions.
  4. Save the CA details and update the policy.
Unable to submit the CSR request to certificate authority Failure due to specific CA functionality. Check in the logs and failed Work order for the reason of submission failure.
Unable to submit the CSR request to certificate authority - For MSCA There might be an error in the work order log - “Denied due to policy module”. Check for the bit length in the CSR parameters, if it is lesser than or equal to 1024 then increase that in the CSR.
CSR parameters already exists There might be another CSR already present in the inventory for which certificates would not have been issued.
  1. Delete the previous CSR present in inventory and try enrolling again.
  2. Connect database and update the entry as given below:

    "db.cert_metadata.update({"_id" : "DO_CSR_PARAMS_UNIQUENESS_CHECK"},{$set:{"constant":"no"}})"

Note: This would allow multiple CSR’s with the same parameters in the certificate inventory.

Issues in obtaining CA certificate via EST

Note: From the client machine hit the get ca certificate call using AppViewX EST server URL which is displayed on the EST setting page.
Error Message Possible Cause Possible Solution
No agent settings found for the provided agent ip address

(OR)

Agent settings is not found

 The provided agent IP or agent name is not found in the EST settings. Check for the agent IP and agent name in the client machine.
Client certificate authentication failed since no client certificate content is obtained The client certificate is not set in the get ca request from the client machine.

  1. Check whether the client certificate and key are set in the “get ca certificate request”.

  2. If the provided certificate is pfx or pkcs12 certificate check whether the provided password is correct.
Provided client certificate is not valid. The provided client certificate might be Expired or Revoked. Provide a valid certificate in the get ca cert request.
HTTP authentication failed due to invalid parameters provided. The HTTP authentication parameters provided must be invalid.
  1. Check for password in BASIC authentication.
  2. Check for nonce and other parameters in DIGEST parameters.
CA certificate is not found The issuer certificate of the selected "server certificate" might have been deleted or the server certificate has been deleted. Check for the issuer certificate and its issuer certificate available in the inventory.
Unable to establish connection with EST server. There might be an issue with reaching the AppViewX EST agent IP from the client. Check whether the EST agent IP is reachable from the client machine.

Check whether the EST agent IP is open and can be accessible.

Issues in auto re-enrolling certificate via EST

Note: Note: From the client machine hit the auto re-enroll call using AppViewX EST server URL which is displayed on the EST setting page.
Error Message Possible Cause Possible Solution
No agent settings found for the provided agent ip address

(OR)

Agent settings is not found

 The provided agent IP or agent name is not found in the EST settings. Check for the agent IP and agent name in the client machine.
Client certificate authentication failed since no client certificate content is obtained The client certificate is not set in the re-enroll request from the client machine
  1. Check whether the client certificate and key is set in the re-enroll certificate request.
  2. If the provided certificate is pfx or pkcs12 certificate check whether the provided password is correct.
Provided client certificate is not valid. The provided client certificate might be Expired or Revoked. Provide a Valid certificate in the re-enroll request.
HTTP authentication failed due to invalid parameters provided. The HTTP authentication parameters provided must be invalid.
  1. Check for password in BASIC authentication.
  2. Check for nonce and other parameters in DIGEST parameters.
CA certificate is not found The issuer certificate of the selected "server certificate" might have been deleted or the server certificate has been deleted. Check for the issuer certificate and its issuer certificate available in the inventory.
Unable to establish connection with EST server. There might be an issue with reaching the AppViewX EST agent IP from the client. Check whether the EST agent IP is reachable from the client machine.

Check whether the EST agent IP is open and can be accessible.
Group policy does not have the given hash function The requested hash function in the CSR parameters may not be available in the selected policy.
  1. Navigate to the policy page.
  2. Select the CA used in the EST setting.
  3. In the hash function field include the requested and missing hash functions.
  4. Save the CA details and update the policy.
Unable to submit the CSR request to certificate authority Failure due to specific CA functionality. Check in logs and in failed Work order for the reason why submission got failed.
Unable to submit the CSR request to certificate authority - For MSCA There might be an error in the work order log - “Denied due to policy module”. Check for the bit length in the CSR parameters, if its lesser than or equal to 1024 then increase that in the CSR.
CSR parameters already exists There might be another CSR already present in the inventory for which certificates would not have been issued.
  1. Delete the previous CSR present in inventory and try enrolling.
  2. Connect database and update the entry as mentioned below:

    "db.cert_metadata.update({"_id" : "DO_CSR_PARAMS_UNIQUENESS_CHECK"},{$set:{"constant":"no"}})"

Note: This would allow multiple CSR’s with the same parameters in the certificate inventory.
Enrolled Certificate is not found While renewing the enrolled certificate, the enrolled certificate might not be present in certificate inventory.
  1. Check if the enrolled cert is present in certificate inventory.
  2. Check if the enrolled certificate provided in "renew request" is a valid one and is enrolled already in AppViewX.
  3. If the enrolled certificate is not present in inventory, check if the authentication cert is in cert inventory.