[cisco-voip] [External] Re: Resolving Sectigo root expiration affecting MRA

Anthony Holloway avholloway+cisco-voip at gmail.com
Wed Jun 3 13:26:23 EDT 2020 

Ah ok, in your original email you only mentioned MRA, and so I was very
focused on how CUCM might need certs in the store for MRA.  You are in fact
doing more than just MRA.  Got it.

On Wed, Jun 3, 2020 at 11:35 AM Hunter Fuller <hf0002 at uah.edu> wrote:

> We have a handful of reasons for the certs in CUCM, some to do with MRA,
> some not.
>
>  - Users use the Self Care Portal, and some pickier browsers don't like
> being sent the wrong root.
>  - Something to do with SSO? I was never super clear on this. Either our
> SSO IdP didn't trust the cert from UCM or the other way around. We fixed
> both at the same time, so I guess I will never know.
>  - We are, in fact, checking crypto for all the Expressway tunnels
> (ExpE-ExpC tunnel as well as ExpC-CUCM).
>
> Honorable mention:
>  - Because it's a bad idea to leave expired certs laying around in there,
> and I never know what one of my colleagues may have configured that relies
> on the TLS verify working. :)
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
>
> On Wed, Jun 3, 2020 at 8:28 AM Anthony Holloway <
> avholloway+cisco-voip at gmail.com> wrote:
>
>> Hunter,
>>
>> I might be exposing a gap in my knowledge here, but why did you need
>> these certs on CUCM?
>>
>> Cisco has now published a troubleshooting guide for this issue, and the
>> article does not mention modifying CUCM cert store.
>>
>>
>> https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/215561-troubleshooting-expressway-mra-login-and.html
>>
>> On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <hf0002 at uah.edu> wrote:
>>
>>> All,
>>>
>>> If you use certs whose trust is derived from the Sectigo root that
>>> expired today, and your MRA isn’t working, I’ll try to save you a call to
>>> TAC.
>>>
>>> Do all of these things:
>>>
>>>  - Load the new intermediates and root into callmanager-trust and
>>> tomcat-trust on all your UCMs
>>>  - restart tomcat, tftp, and callmanager on those boxes
>>>  - load the new intermediates and root into the CA trust store on all
>>> expressways
>>>  - reboot the Expressway-Es
>>>
>>> If you need more detail or help, let me know, we just got off the phone
>>> with TAC. Hope it helps.
>>>
>>> --
>>>
>>> --
>>> Hunter Fuller (they)
>>> Router Jockey
>>> VBH Annex B-5
>>> +1 256 824 5331
>>>
>>> Office of Information Technology
>>> The University of Alabama in Huntsville
>>> Network Engineering
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200603/0fb9e31c/attachment.htm>

More information about the cisco-voip mailing list