This article describes an issue where Pulse One certificate installation or re-installation via serial console fails with error "Error: Existing CA bundle does not match certificate, unable to get issuer certificate"
Problem or Goal
After upgrading to Pulse One (On-Premise) 2.0.1808 and above, certificate installation may fail with the following message:
Error: Existing CA bundle does not match certificate, unable to get issuer certificate
This message did not appear from Pulse One 2.0.1743 and below.
This issue occurs due to a behavior change in Pulse One 2.0.1808 and above to validate the certificate chain prior to installing any device certificate.
From Pulse One 2.0.1808 and above, the validation of the certificate chain up to its root CA is required. If a certificate is missing from the CA-Bundle to the root CA, the error will be shown. In the past versions, this is not fully enforced during installation or re-installation of the certificate, and would not produce an error.
Customer should check the certificate and ca-bundle and ensure that trust is complete to root CA.