[cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

Riley, Sean SRiley at robinsonbradshaw.com
Wed Dec 8 08:36:18 EST 2021


I received the same answer from tac as others.  They have a but ID, but the workaround to disable telemetry is incorrect as we have had this disabled in the xml for a couple of years now.  We will be upgrading with the install switch to disable webex going forward.  Hopefully this puts a stop to this cert warning.

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvg82067

From support:
One of the workarounds that I mentioned was to disable the Webex service, do you think you can try that?

Uninstall Jabber, clear the cache and install it with the following command:
msiexec.exe CiscoJabberSetup.msi CLEAR=1 EXCLUDED_SERVICES=Webex



From: cisco-voip <cisco-voip-bounces at puck.nether.net> On Behalf Of Riley, Sean
Sent: Tuesday, November 30, 2021 12:17 PM
To: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

We did not start to see the cert warnings until 11/15/21.  Not sure if that helps correlate with a certificate expiring, etc.

From: Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>
Sent: Monday, November 29, 2021 6:18 PM
To: gbates at commandsolutions.com.au<mailto:gbates at commandsolutions.com.au>
Cc: Riley, Sean <SRiley at robinsonbradshaw.com<mailto:SRiley at robinsonbradshaw.com>>; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert


They better come up with a better workaround to re-installing all our clients.

If Jabber has a built in procedure, then they really need to make sure it works.

Why are we all of a sudden seeing these cert issues?

This downloading of fixes really needs to be curbed.
Sent from my iPhone

On Nov 29, 2021, at 4:53 PM, Gary_Bates_Command_Solutions <gbates at commandsolutions.com.au<mailto:gbates at commandsolutions.com.au>> wrote:

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp at uoguelph.ca<mailto:IThelp at uoguelph.ca>

Hi there

We experienced this issue with our on-prem Jabber updates,

Fix we applied was as follows:


  1.  Do a “clean install” of Jabber (must delete cache files and uninstall old version)
  2.  Wen installing new version,  use this installation file with the switch at the end  as below


msiexec.exe /i CiscoJabberSetup.msi CLEAR=1 EXCLUDED_SERVICES=WEBEX UPN_DISCOVERY_ENABLED=false

Our desktop team added a script to clear the cache folders on desktops with previous installations as follows:

        ## Deleting all “.\Cisco” folders found on local profiles
        Write-Log "-----> Deleting all `“.\Cisco`” folders found on local profiles"
        $users = Get-ChildItem -Path "C:\Users"
        $users | ForEach-Object {
            Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Local\Cisco"
            Remove-Folder -Path "C:\Users\$($_.Name)\AppData\Roaming\Cisco"


  1.  In the service profile for Jabber, add the “ServiceDiscoveryExcludedServices --> WEBEX”

This will ensure once Jabber is installed and configured, it will no longer try to connect to WEBEX each time the user logins.


HTH

Gary

From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> On Behalf Of Lelio Fulgenzi
Sent: Tuesday, 30 November 2021 8:24 AM
To: Riley, Sean <SRiley at robinsonbradshaw.com<mailto:SRiley at robinsonbradshaw.com>>
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

I will likely be opening a case for this. We had a few. Our workstations are not configured to not get root very updates I’ve been told.

We’ve only had a few cases.

Not sure this hasn’t made it to an advisory or bug or something.

Sent from my iPhone


On Nov 29, 2021, at 1:04 PM, Riley, Sean <SRiley at robinsonbradshaw.com<mailto:SRiley at robinsonbradshaw.com>> wrote:

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp at uoguelph.ca<mailto:IThelp at uoguelph.ca>

Did anyone come up with a solution to this, other than to tell the users to Accept the Cert?

We are completely on prem with no webex services.  Clients are v 12.9.6.  I was able to reproduce the issue once using a test user account, but have not been able to reproduce since, even after a Jabber reset.  Most of my team is running Jabber v 14.x and we have not seen the cert warning.

Does a user declining the cert add it to the Untrusted Certificates store in Windows?  Maybe that takes priority over a cert in the trusted store?

I have done the following, but we still have sporadic reports of the certificate warning from Jabber:


  1.  Ensured the new IdenTrust Commercial Root CA 1 was in CUCM and services restarted on CUCM and IM&P.
  2.  Added the HydrantID Server CA O1 to the computers trusted store via GPO.

Thanks.


From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> On Behalf Of Lelio Fulgenzi
Sent: Friday, November 12, 2021 3:17 PM
To: Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>; Gary Parker <G.J.Parker at lboro.ac.uk<mailto:G.J.Parker at lboro.ac.uk>>; Brian V <bvanbens at gmail.com<mailto:bvanbens at gmail.com>>
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

Darn it. We've started seeing the alerts for some reason.

Can we just tell people to accept? Argh.


-----Original Message-----
From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> On Behalf Of Lelio Fulgenzi
Sent: Friday, November 12, 2021 8:45 AM
To: Gary Parker <G.J.Parker at lboro.ac.uk<mailto:G.J.Parker at lboro.ac.uk>>; Brian V <bvanbens at gmail.com<mailto:bvanbens at gmail.com>>
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

(a) do this
(b) don't do this

Is my favourite part!

I remember when I first started, I had opened a case, then another, and got two very conflicting opinions from the TAC

(a) TAC suggests using the T train for voice gateways
(b) The TAC suggests staying away from T train for voice gateways

Or something like that.

When you're first starting out and have a crush on Cisco, it's very had to work through that.


-----Original Message-----
From: Gary Parker <G.J.Parker at lboro.ac.uk<mailto:G.J.Parker at lboro.ac.uk>>
Sent: Friday, November 12, 2021 5:24 AM
To: Brian V <bvanbens at gmail.com<mailto:bvanbens at gmail.com>>
Cc: Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>; NateCCIE <nateccie at gmail.com<mailto:nateccie at gmail.com>>; Johnson, Tim <johns10t at cmich.edu<mailto:johns10t at cmich.edu>>; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp at uoguelph.ca<mailto:IThelp at uoguelph.ca>


Yeah, I had a suspicion at one point that this might be to do with the telemetry (which we’re sending), but the only reference I can find to the servers used for this is in the "Feature Configuration for Cisco Jabber 12.8” doc where it states that clients connect to "metrics-a.wbx2.com” (also mentioning that you must install a GoDaddy root cert).

We’ve been sending telemetry for some time and have not had this problem before, and the cert the client is erroring on is idbroker.webex.com (with the IdenTrust root).

Fwiw, metrics-a.wbx2.com is a cname for ha-a-main.wbx2.com, which in turn is a cname for achm-main-ha-a-nlb-1d0e22049c746ef1.elb.us-east-2.amazonaws.com

metrics-a.wbx2.com *does* have a GoDaddy root cert, and a wildcard server cert.

What a mess!

That bug also says:

"b) Disable the telemetry call to Webex in the jabber-config xml”

…but then goes on to say:

"This error/popup is not related to Telemetry. Even if you disable Telemetry on Jabber certificate pop up will continue to show.”

¯\_(ツ)_/¯

Gary

> On 11 Nov 2021, at 22:57, Brian V <bvanbens at gmail.com<mailto:bvanbens at gmail.com>> wrote:
>
> Part of the workaround referenced in the Bug doesn't make sense. They reference adding some GoDaddy certs, but when you look at the URL they reference (*.wbx2.com) that is signed by Hydrant not Go Daddy.

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20211208/9384012f/attachment.htm>


More information about the cisco-voip mailing list