[cisco-voip] [External] Re: Certificate issue and I am rubbish at certificates. (full disclosure)

Terry Oakley Terry.Oakley at rdpolytech.ca
Wed May 24 14:18:26 EDT 2023 

Thank you both and all.   
The 2028 date was created by the system using the regenerate option on the OS Admin page.   Thank you for the knowledge.  As I said I am rubbish when it comes to certificates and more importantly understanding them.   I assumed (yes you can make the full understanding of assume) that the regenerate would do if from our CA.. I was wrong.   Requested replacement certs from our CA and now we are up and running.   

Thank you again Hunter and Matthew.   

Terry

-----Original Message-----
From: Hunter Fuller <hf0002 at uah.edu> 
Sent: Wednesday, May 24, 2023 10:14 AM
To: Matthew Loraditch <MLoraditch at heliontechnologies.com>
Cc: Terry Oakley <Terry.Oakley at rdpolytech.ca>; voip puck <cisco-voip at puck.nether.net>
Subject: Re: [External] Re: [cisco-voip] Certificate issue and I am rubbish at certificates. (full disclosure)

CAUTION: This email is from an external source. Do not click links or open attachments unless you recognize the sender and know the content is safe.

2028 is WAY too far in the future. No modern browser trusts a publicly-issued certificate that is valid that far in the future. How did you even get that certificate.

If you did a self signed, then that would explain why no browser trusts it. Self signed is the "sovereign citizen" of certificates. You need to get a certificate authority to sign your CSR.

https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fknowledge.digicert.com%2Fgeneralinformation%2F2-year_Certificate_Availability.html&data=05%7C01%7C%7Cb20949e6aaf0406524d008db5c7203a3%7C3aed1c227c31455eb67a279994fffbd6%7C0%7C0%7C638205416979707026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=AwkRzZxl5UcvAEG2HNVQr2apUbNBLix7TLvtvdXElvw%3D&reserved=0

--
Hunter Fuller (they)
Router Jockey
VBH M-1C
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Wed, May 24, 2023 at 11:01 AM Matthew Loraditch <MLoraditch at heliontechnologies.com> wrote:
>
> It sounds like something is different between the old and new certs (besides the dates). As far as clients accessing Unity via a browser, the callmanager-trust certs are not involved. I’m not even sure they are used at all on a Unity server. I’ve never touched them.
>
>
>
> I would take a look at the old and new certs and make sure the subject and SAN fields are all the same. There can be a lot of reasons for cert errors and the errors are all similar and hard to diagnose without access to the browser throwing the error, but that’s the first thing I would check.
>
>
>
>
>
>
> Matthew Loraditch
> Sr. Network Engineer
> direct: 443.541.1518
> e: MLoraditch at heliontechnologies.com
> https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.h
> eliontechnologies.com%2F&data=05%7C01%7C%7Cb20949e6aaf0406524d008db5c7
> 203a3%7C3aed1c227c31455eb67a279994fffbd6%7C0%7C0%7C638205416979707026%
> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
> 1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hzIF1p%2FTiES4eG1dNEcoxg8P7
> N5ZwxBCaLKuCHunnjg%3D&reserved=0

>
> From: cisco-voip <cisco-voip-bounces at puck.nether.net> On Behalf Of 
> Terry Oakley
> Sent: Wednesday, May 24, 2023 11:35 AM
> To: 'voip puck' <cisco-voip at puck.nether.net>
> Subject: [cisco-voip] Certificate issue and I am rubbish at 
> certificates. (full disclosure)
>
>
>
> [EXTERNAL]
>
>
>
> On our Unity Connection server the certificates for Tomcat and Tomcat trust expired over the weekend, my oversight.   I regenerated the certificates and both are now year 2028 expiry date.   But we still get the same error if someone is trying to access their inbox  (https://server/inbox/)  (error is You cannot visit server right now because the website uses HSTS)
>
>
>
> I noticed that there is a CallManager-Trust certificate that expired on the same day as the Tomcat certs.   The CallManager-Trust certificate is issued by the CA (CA signed) but when I go to Generate a CSR I don’t have the option to choose CallManager-Trust or Trust .  I have Tomcat, Tomcat ecdsa or ipsec.   The common name for the expired CallManager-Trust certificate is the UnityConnection server that users cannot get too.   Little confused as to where this CallManager Trust certificate can be generated from.
>
>
>
>
>
> Thank you
>
>
>
> Terry
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck
> .nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=05%7C01%7C%7Cb20949
> e6aaf0406524d008db5c7203a3%7C3aed1c227c31455eb67a279994fffbd6%7C0%7C0%
> 7C638205416979707026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQI
> joiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VyMn%2
> B4YOn8hvIMsOgdo4kJPwjHobfh5a3wjewqPXLIU%3D&reserved=0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4232 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20230524/39d0b108/attachment.p7s>

More information about the cisco-voip mailing list