[cisco-voip] Wrong ITL cert on subscribers

Lelio Fulgenzi lelio at uoguelph.ca
Wed Jun 10 14:09:02 EDT 2020


One option is to use the Pre-8.0 enterprise field. If you get all your phones registered correctly, ie using your publisher as TFTP, you can then disable (or enable?) that enterprise parameter which requires a reboot of the phones. Then, you can update all your certs, itl/ctl files and the flip the pre-8.0 parameter.

Or something like that. IT’s what is typically done when you rebuild a cluster offline or move clusters.

We’ve used this in the past a number of times.

Lelio


From: cisco-voip <cisco-voip-bounces at puck.nether.net> On Behalf Of Eric Pedersen
Sent: Wednesday, June 10, 2020 1:32 PM
To: cisco-voip (cisco-voip at puck.nether.net) <cisco-voip at puck.nether.net>
Subject: [cisco-voip] Wrong ITL cert on subscribers

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp at uoguelph.ca<mailto:IThelp at uoguelph.ca>

We had to rebuild our CUCM 12.5 publisher. That part went ok, but now the subscribers have an ITLRecovery certificate that differs from the pub and are giving out an ITL file signed with that certificate. The publisher has the old, correct certificate which is got with the restore, but it looks like the subscribers for some reason got the ITL cert that the publisher generated after the build but before the restore. Phones are fine if the publisher is their TFTP server but reject the ITL file if a subscriber is their TFTP server.

TAC is saying we need to regenerate the ITL recovery certificate and then the ITL file which sounds extremely risky. I can't see why this would be necessary since the publisher certificate is correct.  Does anyone have experience with an issue like this? Changing CUCM certificates always makes me nervous. My nightmare situation is that we would have to factory reset all the phones.

Eric


Bennett Jones is committed to mitigating the spread of COVID-19. We have transitioned to a remote work environment and continue to provide complete and uninterrupted service to our clients. Visit our COVID-19 Resource Centre (https://www.bennettjones.com/COVID-19) for timely legal updates.

The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested.

If you no longer wish to receive commercial messages, you can unsubscribe by accessing this link: http://www.bennettjones.com/unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200610/6aff0b7b/attachment.htm>


More information about the cisco-voip mailing list