[cisco-voip] [External] Re: Resolving Sectigo root expiration affecting MRA

Hunter Fuller hf0002 at uah.edu
Wed Jun 3 12:35:09 EDT 2020 

We have a handful of reasons for the certs in CUCM, some to do with MRA,
some not.

 - Users use the Self Care Portal, and some pickier browsers don't like
being sent the wrong root.
 - Something to do with SSO? I was never super clear on this. Either our
SSO IdP didn't trust the cert from UCM or the other way around. We fixed
both at the same time, so I guess I will never know.
 - We are, in fact, checking crypto for all the Expressway tunnels
(ExpE-ExpC tunnel as well as ExpC-CUCM).

Honorable mention:
 - Because it's a bad idea to leave expired certs laying around in there,
and I never know what one of my colleagues may have configured that relies
on the TLS verify working. :)

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Wed, Jun 3, 2020 at 8:28 AM Anthony Holloway <
avholloway+cisco-voip at gmail.com> wrote:

> Hunter,
>
> I might be exposing a gap in my knowledge here, but why did you need these
> certs on CUCM?
>
> Cisco has now published a troubleshooting guide for this issue, and the
> article does not mention modifying CUCM cert store.
>
>
> https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/215561-troubleshooting-expressway-mra-login-and.html
>
> On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <hf0002 at uah.edu> wrote:
>
>> All,
>>
>> If you use certs whose trust is derived from the Sectigo root that
>> expired today, and your MRA isn’t working, I’ll try to save you a call to
>> TAC.
>>
>> Do all of these things:
>>
>>  - Load the new intermediates and root into callmanager-trust and
>> tomcat-trust on all your UCMs
>>  - restart tomcat, tftp, and callmanager on those boxes
>>  - load the new intermediates and root into the CA trust store on all
>> expressways
>>  - reboot the Expressway-Es
>>
>> If you need more detail or help, let me know, we just got off the phone
>> with TAC. Hope it helps.
>>
>> --
>>
>> --
>> Hunter Fuller (they)
>> Router Jockey
>> VBH Annex B-5
>> +1 256 824 5331
>>
>> Office of Information Technology
>> The University of Alabama in Huntsville
>> Network Engineering
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200603/8dfce4ad/attachment.htm>

More information about the cisco-voip mailing list