[cisco-voip] Finesse cert error
Abhiram Kramadhati (akramadh)
akramadh at cisco.com
Tue May 2 21:01:55 EDT 2017
Hi Scott,
Yes. But before that, are you able to share the screenshot of your certificate and the error too? You can unicast them, if you wish. I just want to make sure I am making the right recommendation.
Regards,
Abhiram Kramadhati
Technical Solutions Manager, CCBU
CCIE Collaboration # 40065
From: Scott Voll <svoll.voip at gmail.com>
Date: Saturday, 29 April 2017 at 12:12 AM
To: "Abhiram Kramadhati (akramadh)" <akramadh at cisco.com>
Cc: Nathan Reeves <nathan.a.reeves at gmail.com>, "cisco-voip at puck.nether.net" <cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Finesse cert error
So is it only the Tomcat Cert I need to reissue? if I reissue, does it affect any other systems, (such as CM)?
Just need to schedule maintenance.
TIA
Scott
On Fri, Apr 28, 2017 at 4:25 AM, Abhiram Kramadhati (akramadh) <akramadh at cisco.com<mailto:akramadh at cisco.com>> wrote:
Hi guys,
The certificate should contain subjectAltName(SAN), and you should not have any issues. If you were using CN, ensure it is now in the SAN. The same is documented here: https://productforums.google.com/forum/#!msg/chrome/5f1Kp_ntUwU/CfER8_JKDwAJ
The team looked at this today and for CA signed certificates with the above config, there are no issues on the latest Chrome/FF. If you are still facing issues, can you send me the screenshot and details?
Regards,
Abhiram Kramadhati
Technical Solutions Manager, CCBU
CCIE Collaboration # 40065
From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> on behalf of Nathan Reeves <nathan.a.reeves at gmail.com<mailto:nathan.a.reeves at gmail.com>>
Date: Friday, 28 April 2017 at 4:04 AM
To: Scott Voll <svoll.voip at gmail.com<mailto:svoll.voip at gmail.com>>
Cc: "cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>" <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: Re: [cisco-voip] Finesse cert error
Chrome stopped supporting Common Name matching in the latest release 58 which dropped in the last week or so. This would cause the error you referenced below. Looks like it now only supports names in the subjectAlternativeName field of the cert.
Hope this assists
Nathan
On Thursday, April 27, 2017, Scott Voll <svoll.voip at gmail.com<mailto:svoll.voip at gmail.com>> wrote:
OK, as of yesterday I started having reports of users in Chrome and Firefox getting an error connecting to the Finesse webpage.
Looking at the cert It's sha2 but I get Not secure in FF and not private in Chrome.
Chome complains of NET::ERR_CERT_COMMON_NAME_INVALID
cert is internal CA and the sigature algorithim is Sha512RSA hash is SHa512
The only thing that looks a little questionable is in the subject, I also have the serial number and the hostname is CAPs not lower case
UCCx 11.5.1.10000-61
Any thoughts?
TIA
Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20170503/960e5ff8/attachment.html>
More information about the cisco-voip
mailing list