Cisco WLC upgrade – Image signing certificate validation failed

Just replaced my WLC, and every time I get new hardware I check for the latest sw. Yeah, new version of the 8-series from Cisco. Not so much yeah after upgrade….

All my Cisco 2702i Access points where failing the upgrade. Stuck in downloading.

*Mar 24 19:21:20.559: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
*Mar 24 19:26:18.091: Currently running a Release Image
*Mar 24 19:26:18.111: Using SHA-2 signed certificate for image signing validation.
*Mar 24 19:26:18.179: Image signing certificate validation failed (FFFFFFFF).
*Mar 24 19:26:18.179: Failed to validate signature
*Mar 24 19:31:59.239: capwap_image_proc: problem extractin*Mar 24 19:26:18.179: Digital Signature Failed Validation (flash:/update/ap3g2-k9w8-mx.153-3.JA3/final_hash)
*Mar 24 19:26:18.179: AP image integrity check FAILED
Aborting Image Download

Been working on this issue all night, upgrading / revert to old sw, and I could always get them back online if I used the same version that was already on the access points.. But one Access point where doing quite well, working every time. Let’s do the old diff.

*Mar 1 00:00:50.895: Currently running a Release Image
validate_sha2_block: Failed to get certificate chain
*Mar 1 00:00:51.315: Using SHA-1 signed certificate for image signing validation.

That got me a clue, maybe there is something wrong the certificate chain…
The fail ap where using SHA-2, and the only one that was working was using sha-1 fallback…
This time google pointed me in the right direction…

Cisco Field Notice: FN – 63916

Why on earth I did not get any hits on that earlier, I have no idea…

After downgrade to 8.0.100.0, then 8.0.104.0 and then 8.0.115.0 my AP is now running smooth again

*Mar 24 20:47:20.819: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
*Mar 24 20:52:29.419: Currently running a Release Image
*Mar 24 20:52:29.443: Incorrect certificate in SHA2 PB !
*Mar 24 20:52:29.443: Using SHA-1 signed certificate for image signing validation.
*Mar 24 20:52:29.507: Image signing certificate validation succeeded.
*Mar 24 20:52:36.175: AP image integrity check PASSED

One last thing, if you get stuck when trying to upgrade/downgrade your WLC with the following error:
At least one AP is upgrading image, download cannot start
Just do a shutdown on all your switch ports that your access points are connected, on other words, disconnect the link between the WLC and the Access points. I’ve been doing it all night and no harm is done! 🙂

Btw, too sum up why my setup went to hell..
Was running WLC 7.6.130 – Everything worked fine.
Tried upgrading to 8.0.100.0, it failed, didn’t find a solution, rolled-back to 7.6.130
Upgraded to 8.0.110.0 – All good, happy days…
Got a new WLC, witch was preinstalled with 8.0.100.0, all my AP joined and downgraded.
Tried upgrading to 8.0.115.0, and this is where I got stuck…

One Comment to

  • John26/10/2017

    nice post, i got on the same issue.

  • Leave a Comments