[cisco-voip] Resolving Sectigo root expiration affecting MRA
Anthony Holloway
avholloway+cisco-voip at gmail.com
Wed Jun 3 10:01:40 EDT 2020
Actually, I'm starting to think on this some more, I think it might be
because of two facts, but please confirm:
1) You signed your C certs with a public CA which leverages these expired
CA certs
2) You enabled TLS verification between CUCM and C (both MRA and B2B?)
I don't typically see encryption on the inside like this, though, I do see
it mentioned in the steps for MRA as if it were a requirement (e.g., how it
says to copy the names of the phone sec prof for the cert). Though, I also
don't see a lot of B2B deployments where you might want E2E encryption
either.
On Wed, Jun 3, 2020 at 8:28 AM Anthony Holloway <
avholloway+cisco-voip at gmail.com> wrote:
> Hunter,
>
> I might be exposing a gap in my knowledge here, but why did you need these
> certs on CUCM?
>
> Cisco has now published a troubleshooting guide for this issue, and the
> article does not mention modifying CUCM cert store.
>
>
> https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/215561-troubleshooting-expressway-mra-login-and.html
>
> On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <hf0002 at uah.edu> wrote:
>
>> All,
>>
>> If you use certs whose trust is derived from the Sectigo root that
>> expired today, and your MRA isn’t working, I’ll try to save you a call to
>> TAC.
>>
>> Do all of these things:
>>
>> - Load the new intermediates and root into callmanager-trust and
>> tomcat-trust on all your UCMs
>> - restart tomcat, tftp, and callmanager on those boxes
>> - load the new intermediates and root into the CA trust store on all
>> expressways
>> - reboot the Expressway-Es
>>
>> If you need more detail or help, let me know, we just got off the phone
>> with TAC. Hope it helps.
>>
>> --
>>
>> --
>> Hunter Fuller (they)
>> Router Jockey
>> VBH Annex B-5
>> +1 256 824 5331
>>
>> Office of Information Technology
>> The University of Alabama in Huntsville
>> Network Engineering
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200603/25168dfc/attachment.htm>
More information about the cisco-voip
mailing list