[cisco-voip] Resolving Sectigo root expiration affecting MRA
Anthony Holloway
avholloway+cisco-voip at gmail.com
Wed Jun 3 16:54:56 EDT 2020
Yeah, good question. Certificate monitor in cucm (and others) is really
handy for this, but I've also seen it fail due to a defect.
I wonder if the one cisco is using in cucm (and others) is the #8 one
listed in this article:
https://geekflare.com/monitor-ssl-certificate-expiry/
Either way, there's a few other cloud and on-prem solutions mentioned in
that link.
On Wed, Jun 3, 2020 at 1:24 PM Pawlowski, Adam <ajp26 at buffalo.edu> wrote:
> This is the boat we were in as well, and I’ve learned some lessons here.
>
>
>
> The bug that I posted about for Jabber mobile devices got me – since we’re
> MRA only I thought I broke it again and it took a while to figure out why.
> The bugs in Expressway <X12.5.7 where replication fails for CPL and the
> login banner got me for a while thinking I’d just broken the cluster due to
> the replication failed alarms. I nearly forgot to reset all the phones
> after restarting TVS but … well fool me once on that one.
>
>
>
> I learned that the Expressway doesn’t have any real certificate “monitor”,
> and if you put an EC cert from an intermediate into the ipsec-trust
> keychain you will break that service, it will just core endlessly.
>
>
>
> How is everyone keeping track of the certificates that they have out
> there, and that they’re coming up due for replacement? Outlook calendars
> are no good, and neither are the notices from the issuing CA. I have to be
> missing something obvious.
>
>
>
> Best,
>
>
>
> Adam
>
>
>
> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Derek
> Andrew
> *Sent:* Wednesday, June 3, 2020 10:20 AM
> *To:* Anthony Holloway <avholloway+cisco-voip at gmail.com>
> *Cc:* voyp list, cisco-voip (cisco-voip at puck.nether.net) <
> cisco-voip at puck.nether.net>
> *Subject:* Re: [cisco-voip] Resolving Sectigo root expiration affecting
> MRA
>
>
>
> If you had previously installed the certs on CUCM CUP CUC and CER as we
> did, they would also have expired.
>
>
>
> On Wed, Jun 3, 2020 at 7:34 AM Anthony Holloway <
> avholloway+cisco-voip at gmail.com> wrote:
>
> CAUTION: This email originated from outside of the University of
> Saskatchewan. Do not click links or open attachments unless you recognize
> the sender and know the content is safe. If in doubt, please forward
> suspicious emails to phishing at usask.ca
>
>
>
> Hunter,
>
>
>
> I might be exposing a gap in my knowledge here, but why did you need these
> certs on CUCM?
>
>
>
> Cisco has now published a troubleshooting guide for this issue, and the
> article does not mention modifying CUCM cert store.
>
>
>
>
> https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/215561-troubleshooting-expressway-mra-login-and.html
>
>
>
> On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <hf0002 at uah.edu> wrote:
>
> All,
>
>
>
> If you use certs whose trust is derived from the Sectigo root that expired
> today, and your MRA isn’t working, I’ll try to save you a call to TAC.
>
>
>
> Do all of these things:
>
>
>
> - Load the new intermediates and root into callmanager-trust and
> tomcat-trust on all your UCMs
>
> - restart tomcat, tftp, and callmanager on those boxes
>
> - load the new intermediates and root into the CA trust store on all
> expressways
>
> - reboot the Expressway-Es
>
>
>
> If you need more detail or help, let me know, we just got off the phone
> with TAC. Hope it helps.
>
>
>
> --
>
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> --
>
> Copyright 2020 Derek Andrew (excluding quotations)
>
> +1 306 966 4808
>
> Communication and Network Services
>
> Information and Communications Technology
>
>
> *University of Saskatchewan *Peterson 120; 54 Innovation Boulevard
> Saskatoon,Saskatchewan,Canada. S7N 2V3
> Timezone GMT-6
>
>
>
> Typed but not read.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200603/7753652e/attachment.htm>
More information about the cisco-voip
mailing list