[cisco-voip] [External] Re: Resolving Sectigo root expiration affecting MRA

Sun May 31 03:37:42 EDT 2020

Oh, I didn't know about that issue, but it explains why you have to restart
TFTP. Anything that takes a restart for tomcat will also take a restart for
tomcat-trust.

Why? Because Tomcat (and most apps) ship the server cert *and
intermediates* with the TLS transaction. Cisco Unified stuff seems to
generate the intermediate chain from the tomcat-trust chain. So any time
you alter tomcat-trust, you have to restart everything that serves the
tomcat cert, so that it will start serving the correct intermediates. (This
is also why you have to reboot Expressway-E when changing the root and
intermediates. It doesn't tell you this when you change them, but it will
not start shipping the new root and intermediates with its transactions
until it is rebooted - and MRA phones will not work in that state!)

For example, here I am connecting to our TFTP port using the OpenSSL CLI
and grepping for the cert CNs, and you can see it is actually sending FOUR
certs - not just the server cert. The other three are from tomcat-trust.

hf0002 at burrito ~$ openssl s_client -connect vbhucmpub.voip.uah.edu:6972
-showcerts -prexit 2>/dev/null | grep -E '[0-9] s:'
 0 s:/C=US/ST=Alabama/L=Huntsville/O=The University of Alabama in
Huntsville/OU=Office of Information Technology (OIT)/CN=
libimsub-ms.voip.uah.edu
 1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server
CA
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust
RSA Certification Authority
 3 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA
Certificate Services

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Sun, May 31, 2020 at 2:16 AM Anthony Holloway <
avholloway+cisco-voip at gmail.com> wrote:

> Probably confusion with the tomcat cert, versus the tomcat-trust.
>
> Remember this defect?
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy13916
>
> On Sat, May 30, 2020 at 7:11 PM Hunter Fuller <hf0002 at uah.edu> wrote:
>
>> I was wondering the same thing. You may be able to skip that one, but it
>> advises you to restart it when updating the callmanager-trust store, so we
>> did it.
>>
>> On Sat, May 30, 2020 at 19:10 Anthony Holloway <
>> avholloway+cisco-voip at gmail.com> wrote:
>>
>>> MVP
>>>
>>> But why restart TFTP?
>>>
>>> On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <hf0002 at uah.edu> wrote:
>>>
>>>> All,
>>>>
>>>> If you use certs whose trust is derived from the Sectigo root that
>>>> expired today, and your MRA isn’t working, I’ll try to save you a call to
>>>> TAC.
>>>>
>>>> Do all of these things:
>>>>
>>>>  - Load the new intermediates and root into callmanager-trust and
>>>> tomcat-trust on all your UCMs
>>>>  - restart tomcat, tftp, and callmanager on those boxes
>>>>  - load the new intermediates and root into the CA trust store on all
>>>> expressways
>>>>  - reboot the Expressway-Es
>>>>
>>>> If you need more detail or help, let me know, we just got off the phone
>>>> with TAC. Hope it helps.
>>>>
>>>> --
>>>>
>>>> --
>>>> Hunter Fuller (they)
>>>> Router Jockey
>>>> VBH Annex B-5
>>>> +1 256 824 5331
>>>>
>>>> Office of Information Technology
>>>> The University of Alabama in Huntsville
>>>> Network Engineering
>>>>
>>> _______________________________________________
>>>> cisco-voip mailing list
>>>> cisco-voip at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>
>>> --
>>
>> --
>> Hunter Fuller (they)
>> Router Jockey
>> VBH Annex B-5
>> +1 256 824 5331
>>
>> Office of Information Technology
>> The University of Alabama in Huntsville
>> Network Engineering
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200531/39cd1185/attachment.htm>