THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|
IOS XE SD-WAN Software | 17 | 17.3.x, 17.4.x, 17.5.x, 17.6.x, 17.7.x, 17.8.x, 17.9.1, 17.9.2, 17.9.3, 17.9.4, 17.9.5, 17.10.x, 17.11.x, 17.12.1, 17.12.2, 17.12.3, 17.13.x |
Defect ID | Headline |
CSCwi43360 | Cert expiry on Sept 2024 for DNS Security registration to Umbrella cloud |
The SSL digital certificate that is used by Cisco Catalyst SD-WAN Routers to register with Cisco Umbrella DNS expires on September 30, 2024. Cisco SD-WAN Routers with the expired certificate will fail to register with the Cisco Umbrella DNS service. The result of this failure is that all subsequent client DNS requests will be dropped.
The Cisco Umbrella DNS security solution uses digital certificates during the SSL handshake process to establish secure HTTPS connections. For DNS security, the SSL certificate facilitates device registration. The current SSL certificate on affected Cisco SD-WAN Routers expires on September 30, 2024.
This problem affects the following Cisco products if they are running an affected Cisco IOS XE Software release and if they are in SD-WAN Controller mode:
This problem also affects these devices if they are running in Autonomous mode and are configured to use the Cisco Umbrella API with API keys for registration.
Note: Devices that are running Cisco IOS XE Software Release 17.14.1 or later are not affected, regardless of operating mode. These newer software releases already contain the updated digital certificate.
Affected devices will fail to establish secure connections with the Cisco Umbrella DNS service and then DNS registration will fail.
After registration fails, DNS capability is not available on Cisco routers that are running Cisco IOS XE SD-WAN Software. All DNS requests from clients fail. Without an available DNS service, client devices will experience a variety of network reachability failures, such as websites and cloud services becoming unavailable, and so on.
Note: Devices that are configured for Cisco Umbrella DNS Security that are already in operation will not be impacted until reboot. The expired certificate is used only during device registration with the Cisco Umbrella DNS service, not for individual DNS requests. Device registration occurs when the Cisco Umbrella DNS service is initially configured or when the configured device is rebooted.
Solution
Affected devices must have the affected certificate replaced with a new, unexpired certificate. The new certificate is valid until the year 2035. Customers who do not currently use Cisco Umbrella DNS, but who expect to deploy it in the future, can replace the affected certificate by upgrading the Cisco SD-WAN Router software to a release that contains the new certificate. The new certificate is installed automatically during the upgrade. Devices that are running Cisco IOS XE Software Release 17.14.1 or later already contain the updated digital certificate.
For affected devices, the following X1 certificate must be downloaded and installed. The installation method depends on the software release that is installed on the affected device.
-----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo //fb4hVC1CLQJ13hef4Y53CI rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- |
This certificate can also be downloaded from https://letsencrypt.org/certs/isrgrootx1.pem
Complete the following installation instructions that correspond to the software release currently installed on the affected device.
https://letsencrypt.org/certs/isrgrootx1.pem
scp ./isrgrootx1.pem admin@<EdgeIP>:bootflash:trustidrootx3_ca.ca
Substitute <EdgeIP> with the IP address of the affected router.
Alternatively, the new ISRG Root X1 rooted certificate can be downloaded to Cisco vManage and copied to each affected router. It is not possible to copy the new certificate directly into the router bootflash with this method. Instead, the new certificate must be copied into a temporary directory first and then copied into the final bootflash location while logged into the router.
vManage# vshell
vManage:~$ pwd
/home/admin
wget https://letsencrypt.org/certs/isrgrootx1.pem --no-check-certificate
scp -P 830 isrgrootx1.pem admin@<EdgeIP>:/bootflash/sdwan/trustidrootx3_ca.ca
Substitute <EdgeIP> with the IP address of the affected router.
Log in to the affected router.
Enter the copy CLI command to copy the new certificate from the temporary location into bootflash.
router# copy bootflash:/sdwan/trustidrootx3_ca.ca bootflash:
Destination filename [trustidrootx3_ca.ca]?
Enter the delete CLI command to remove the certificate file from the temporary location.
router# delete bootflash:/sdwan/trustidrootx3_ca.ca
https://letsencrypt.org/certs/isrgrootx1.pem
scp ./isrgrootx1.pem admin@<EdgeIP>:bootflash:trustidrootx3_ca_092024.ca
Substitute <EdgeIP> with the IP address of the affected router.
Alternatively, the new ISRG Root X1 rooted certificate can be downloaded to Cisco vManage and copied to each affected router. It is not possible to copy the new certificate directly into the router bootflash with this method. Instead, the new certificate must be copied into a temporary directory first and then copied into the final bootflash location while logged into the router.
vManage# vshell
vManage:~$ pwd
/home/admin
wget https://letsencrypt.org/certs/isrgrootx1.pem --no-check-certificate
scp -P 830 isrgrootx1.pem admin@<EdgeIP>:/bootflash/sdwan/trustidrootx3_ca_092024.ca
Substitute <EdgeIP> with the IP address of the affected router.
Log in to the affected router.
Enter the copy CLI command to copy the new certificate from the temporary location into bootflash.
router# copy bootflash:/sdwan/trustidrootx3_ca_092024.ca bootflash:
Destination filename [trustidrootx3_ca_092024.ca]?
Enter the delete CLI command to remove the certificate file from the temporary location.
router# delete bootflash:/sdwan/trustidrootx3_ca_092024.ca
https://letsencrypt.org/certs/isrgrootx1.pem
Verify the Certificate File: Use the dir CLI command to ensure the new certificate file is indeed present on the bootflash and the filename is correct.
Router# dir bootflash:isrgrootx1.pem
This command will list the file if it exists, along with its size and other details.
Configure a Trustpoint: If one is not already present, create a trustpoint that will be used to store the certificate.
Router# configure terminal
Router(config)# crypto pki trustpoint MY_TRUSTPOINT_NAME
Router(config-trustpoint)# enrollment terminal
Router(config-trustpoint)# exitRouter(config)# exit
Router#
Replace MY_TRUSTPOINT_NAME with the name you want to assign to your trustpoint.
Router# crypto pki import MY_TRUSTPOINT_NAME certificate bootflash:isrgrootx1.pem.This command tells the router to import the certificate file isrgrootx1.pem from the bootflash into the trustpoint named MY_TRUSTPOINT_NAME.
Version | Description | Section | Date |
1.0 | Initial Release | — | 2024-JUL-30 |
For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:
To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.