If you ever need to access HTTPS site from a Cisco router running IOS, whether it's the copy command or TR-069 client or DDNS HTTP client, the request won't go through, because the SSL/TLS certificate (chain) provided by the server cannot be validated.
Setup trustpool policy
crypto pki trustpool policy
cabundle url http://www.cisco.com/security/pki/trs/ios.p7b
chain-validation
revocation-check none
storage flash:/pki/trs
Why IPv6? Cisco routers do AAAA lookup regardless of IPv6 connectivity, and www.cisco.com
resolves an IPv6 address.
- Make sure you have DNS servers configured:
Router# show ip dns view
- Enable DNS lookup:
Router(config)# ip domain-lookup
- Download and import root CA bundle from Cisco to your router:
Router(config)# crypto pki trustpool import clean url http://www.cisco.com/security/pki/trs/ios.p7b
There are couple workarounds when you have a DNS server responding to AAAA records but you do not have IPv6 connectivity.
-
Download
ios.p7b
file from the URL above and upload to your device. -
Disable domain-lookup, create
ip host
entry with the IPv4 address ofwww.cisco.com
, then issuecopy http
command to downloadios.p7b
file. -
Consider adding free IPv6 connectivity using https://tunnelbroker.net
Router(config)# crypto pki trustpool import clean url flash:/ios.p7b