[cisco-voip] [External] Re: Certificate issue and I am rubbish at certificates. (full disclosure)

Wed May 24 15:08:10 EDT 2023

Sovereign Citizen. That’s just funny.

Thanks,

Ryan Huff
________________________________
From: cisco-voip <cisco-voip-bounces at puck.nether.net> on behalf of Hunter Fuller <hf0002 at uah.edu>
Sent: Wednesday, May 24, 2023 12:14:27 PM
To: Matthew Loraditch <MLoraditch at heliontechnologies.com>
Cc: Terry Oakley <Terry.Oakley at rdpolytech.ca>; voip puck <cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] [External] Re: Certificate issue and I am rubbish at certificates. (full disclosure)

2028 is WAY too far in the future. No modern browser trusts a
publicly-issued certificate that is valid that far in the future. How
did you even get that certificate.

If you did a self signed, then that would explain why no browser
trusts it. Self signed is the "sovereign citizen" of certificates. You
need to get a certificate authority to sign your CSR.

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fknowledge.digicert.com%2Fgeneralinformation%2F2-year_Certificate_Availability.html&data=05%7C01%7C%7C33aae16f4f824da959ec08db5c72202d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638205417463181216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=F3nhWssXTK3oZj0mDi%2BySMTvinQ2iJcDRiQvQIMOVto%3D&reserved=0<https://knowledge.digicert.com/generalinformation/2-year_Certificate_Availability.html>

--
Hunter Fuller (they)
Router Jockey
VBH M-1C
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Wed, May 24, 2023 at 11:01 AM Matthew Loraditch
<MLoraditch at heliontechnologies.com> wrote:
>
> It sounds like something is different between the old and new certs (besides the dates). As far as clients accessing Unity via a browser, the callmanager-trust certs are not involved. I’m not even sure they are used at all on a Unity server. I’ve never touched them.
>
>
>
> I would take a look at the old and new certs and make sure the subject and SAN fields are all the same. There can be a lot of reasons for cert errors and the errors are all similar and hard to diagnose without access to the browser throwing the error, but that’s the first thing I would check.
>
>
>
>
>
>
> Matthew Loraditch
> Sr. Network Engineer
> direct: 443.541.1518
> e: MLoraditch at heliontechnologies.com
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F&data=05%7C01%7C%7C33aae16f4f824da959ec08db5c72202d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638205417463181216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9WGDmNKbNXHrjDes9vllJS%2FN9u4u5uEOOHMOeF4e5xk%3D&reserved=0<http://www.heliontechnologies.com/>

>
> From: cisco-voip <cisco-voip-bounces at puck.nether.net> On Behalf Of Terry Oakley
> Sent: Wednesday, May 24, 2023 11:35 AM
> To: 'voip puck' <cisco-voip at puck.nether.net>
> Subject: [cisco-voip] Certificate issue and I am rubbish at certificates. (full disclosure)
>
>
>
> [EXTERNAL]
>
>
>
> On our Unity Connection server the certificates for Tomcat and Tomcat trust expired over the weekend, my oversight.   I regenerated the certificates and both are now year 2028 expiry date.   But we still get the same error if someone is trying to access their inbox  (https://server/inbox/)  (error is You cannot visit server right now because the website uses HSTS)
>
>
>
> I noticed that there is a CallManager-Trust certificate that expired on the same day as the Tomcat certs.   The CallManager-Trust certificate is issued by the CA (CA signed) but when I go to Generate a CSR I don’t have the option to choose CallManager-Trust or Trust .  I have Tomcat, Tomcat ecdsa or ipsec.   The common name for the expired CallManager-Trust certificate is the UnityConnection server that users cannot get too.   Little confused as to where this CallManager Trust certificate can be generated from.
>
>
>
>
>
> Thank you
>
>
>
> Terry
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=05%7C01%7C%7C33aae16f4f824da959ec08db5c72202d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638205417463181216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=f8O9Ho0327p4Q3Ad%2FqZ5oIF2pwXLbqjow%2F102o0M1IM%3D&reserved=0<https://puck.nether.net/mailman/listinfo/cisco-voip>
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=05%7C01%7C%7C33aae16f4f824da959ec08db5c72202d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638205417463181216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=f8O9Ho0327p4Q3Ad%2FqZ5oIF2pwXLbqjow%2F102o0M1IM%3D&reserved=0<https://puck.nether.net/mailman/listinfo/cisco-voip>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20230524/de3f25c2/attachment.htm>