[cisco-voip] [External] Re: Certificate issue and I am rubbish at certificates. (full disclosure)

Terry Oakley Terry.Oakley at rdpolytech.ca
Wed May 24 17:34:31 EDT 2023


Ahh then a successful day as we made one person have a good funny moment.  

 

Terry

 

From: Ryan Huff <ryanhuff at outlook.com> 
Sent: Wednesday, May 24, 2023 1:08 PM
To: Hunter Fuller <hf0002 at uah.edu>; Matthew Loraditch <MLoraditch at heliontechnologies.com>
Cc: Terry Oakley <Terry.Oakley at rdpolytech.ca>; voip puck <cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] [External] Re: Certificate issue and I am rubbish at certificates. (full disclosure)

 


CAUTION: This email is from an external source. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Sovereign Citizen. That’s just funny.

 

Thanks,

 

Ryan Huff

  _____  

From: cisco-voip <cisco-voip-bounces at puck.nether.net <mailto:cisco-voip-bounces at puck.nether.net> > on behalf of Hunter Fuller <hf0002 at uah.edu <mailto:hf0002 at uah.edu> >
Sent: Wednesday, May 24, 2023 12:14:27 PM
To: Matthew Loraditch <MLoraditch at heliontechnologies.com <mailto:MLoraditch at heliontechnologies.com> >
Cc: Terry Oakley <Terry.Oakley at rdpolytech.ca <mailto:Terry.Oakley at rdpolytech.ca> >; voip puck <cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net> >
Subject: Re: [cisco-voip] [External] Re: Certificate issue and I am rubbish at certificates. (full disclosure) 

 

2028 is WAY too far in the future. No modern browser trusts a
publicly-issued certificate that is valid that far in the future. How
did you even get that certificate.

If you did a self signed, then that would explain why no browser
trusts it. Self signed is the "sovereign citizen" of certificates. You
need to get a certificate authority to sign your CSR.

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fknowledge.digicert.com%2Fgeneralinformation%2F2-year_Certificate_Availability.html <https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fknowledge.digicert.com%2Fgeneralinformation%2F2-year_Certificate_Availability.html&data=05%7C01%7C%7C221aad3424994da2348d08db5c8a3825%7C3aed1c227c31455eb67a279994fffbd6%7C0%7C0%7C638205520956959554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3ix98FTYVzabBqK8CobMuUjKkfTM3xKNAw2V1eiWbZw%3D&reserved=0> &data=05%7C01%7C%7C33aae16f4f824da959ec08db5c72202d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638205417463181216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=F3nhWssXTK3oZj0mDi%2BySMTvinQ2iJcDRiQvQIMOVto%3D&reserved=0

--
Hunter Fuller (they)
Router Jockey
VBH M-1C
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Wed, May 24, 2023 at 11:01 AM Matthew Loraditch
<MLoraditch at heliontechnologies.com> wrote:
>
> It sounds like something is different between the old and new certs (besides the dates). As far as clients accessing Unity via a browser, the callmanager-trust certs are not involved. I’m not even sure they are used at all on a Unity server. I’ve never touched them.
>
>
>
> I would take a look at the old and new certs and make sure the subject and SAN fields are all the same. There can be a lot of reasons for cert errors and the errors are all similar and hard to diagnose without access to the browser throwing the error, but that’s the first thing I would check.
>
>
>
>
>
>
> Matthew Loraditch
> Sr. Network Engineer
> direct: 443.541.1518
> e: MLoraditch at heliontechnologies.com <mailto:MLoraditch at heliontechnologies.com> 
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F <https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F&data=05%7C01%7C%7C221aad3424994da2348d08db5c8a3825%7C3aed1c227c31455eb67a279994fffbd6%7C0%7C0%7C638205520956959554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=E2ynbFhj23XmhiTgsJyFiq4LWWL0cvvGvcujq%2F8rotQ%3D&reserved=0> &data=05%7C01%7C%7C33aae16f4f824da959ec08db5c72202d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638205417463181216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9WGDmNKbNXHrjDes9vllJS%2FN9u4u5uEOOHMOeF4e5xk%3D&reserved=0

>
> From: cisco-voip <cisco-voip-bounces at puck.nether.net <mailto:cisco-voip-bounces at puck.nether.net> > On Behalf Of Terry Oakley
> Sent: Wednesday, May 24, 2023 11:35 AM
> To: 'voip puck' <cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net> >
> Subject: [cisco-voip] Certificate issue and I am rubbish at certificates. (full disclosure)
>
>
>
> [EXTERNAL]
>
>
>
> On our Unity Connection server the certificates for Tomcat and Tomcat trust expired over the weekend, my oversight.   I regenerated the certificates and both are now year 2028 expiry date.   But we still get the same error if someone is trying to access their inbox  (https://server/inbox/)  (error is You cannot visit server right now because the website uses HSTS)
>
>
>
> I noticed that there is a CallManager-Trust certificate that expired on the same day as the Tomcat certs.   The CallManager-Trust certificate is issued by the CA (CA signed) but when I go to Generate a CSR I don’t have the option to choose CallManager-Trust or Trust .  I have Tomcat, Tomcat ecdsa or ipsec.   The common name for the expired CallManager-Trust certificate is the UnityConnection server that users cannot get too.   Little confused as to where this CallManager Trust certificate can be generated from.
>
>
>
>
>
> Thank you
>
>
>
> Terry
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net> 
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip <https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=05%7C01%7C%7C221aad3424994da2348d08db5c8a3825%7C3aed1c227c31455eb67a279994fffbd6%7C0%7C0%7C638205520956959554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xmBvCVtpqMEl9xkPNY8LQiyxAT4GcxmRKGPIh6yxWbs%3D&reserved=0> &data=05%7C01%7C%7C33aae16f4f824da959ec08db5c72202d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638205417463181216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=f8O9Ho0327p4Q3Ad%2FqZ5oIF2pwXLbqjow%2F102o0M1IM%3D&reserved=0
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net> 
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip <https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=05%7C01%7C%7C221aad3424994da2348d08db5c8a3825%7C3aed1c227c31455eb67a279994fffbd6%7C0%7C0%7C638205520956959554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xmBvCVtpqMEl9xkPNY8LQiyxAT4GcxmRKGPIh6yxWbs%3D&reserved=0> &data=05%7C01%7C%7C33aae16f4f824da959ec08db5c72202d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638205417463181216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=f8O9Ho0327p4Q3Ad%2FqZ5oIF2pwXLbqjow%2F102o0M1IM%3D&reserved=0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20230524/e93efaa3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4232 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20230524/e93efaa3/attachment.p7s>


More information about the cisco-voip mailing list