[cisco-voip] Resolving Sectigo root expiration affecting MRA

Wed Jun 3 14:24:14 EDT 2020

This is the boat we were in as well, and I’ve learned some lessons here.

The bug that I posted about for Jabber mobile devices got me – since we’re MRA only I thought I broke it again and it took a while to figure out why. The bugs in Expressway <X12.5.7 where replication fails for CPL and the login banner got me for a while thinking I’d just broken the cluster due to the replication failed alarms.  I nearly forgot to reset all the phones after restarting TVS but … well fool me once on that one.

I learned that the Expressway doesn’t have any real certificate “monitor”, and if you put an EC cert from an intermediate into the ipsec-trust keychain you will break that service, it will just core endlessly.

How is everyone keeping track of the certificates that they have out there, and that they’re coming up due for replacement? Outlook calendars are no good, and neither are the notices from the issuing CA. I have to be missing something obvious.

Best,

Adam

From: cisco-voip <cisco-voip-bounces at puck.nether.net> On Behalf Of Derek Andrew
Sent: Wednesday, June 3, 2020 10:20 AM
To: Anthony Holloway <avholloway+cisco-voip at gmail.com>
Cc: voyp list, cisco-voip (cisco-voip at puck.nether.net) <cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Resolving Sectigo root expiration affecting MRA

If you had previously installed the certs on CUCM CUP CUC and CER as we did, they would also have expired.

On Wed, Jun 3, 2020 at 7:34 AM Anthony Holloway <avholloway+cisco-voip at gmail.com<mailto:avholloway%2Bcisco-voip at gmail.com>> wrote:
CAUTION: This email originated from outside of the University of Saskatchewan. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, please forward suspicious emails to phishing at usask.ca<mailto:phishing at usask.ca>

Hunter,

I might be exposing a gap in my knowledge here, but why did you need these certs on CUCM?

Cisco has now published a troubleshooting guide for this issue, and the article does not mention modifying CUCM cert store.

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/215561-troubleshooting-expressway-mra-login-and.html

On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <hf0002 at uah.edu<mailto:hf0002 at uah.edu>> wrote:
All,

If you use certs whose trust is derived from the Sectigo root that expired today, and your MRA isn’t working, I’ll try to save you a call to TAC.

Do all of these things:

 - Load the new intermediates and root into callmanager-trust and tomcat-trust on all your UCMs
 - restart tomcat, tftp, and callmanager on those boxes
 - load the new intermediates and root into the CA trust store on all expressways
 - reboot the Expressway-Es

If you need more detail or help, let me know, we just got off the phone with TAC. Hope it helps.

--

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

--
Copyright 2020 Derek Andrew (excluding quotations)

+1 306 966 4808
Communication and Network Services
Information and Communications Technology
University of Saskatchewan
Peterson 120; 54 Innovation Boulevard
Saskatoon,Saskatchewan,Canada. S7N 2V3
Timezone GMT-6

Typed but not read.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200603/46b6b982/attachment.htm>