<div dir="ltr"><div>It was Go Daddy. </div><div><br></div><div>I uploaded the bundle they sent all at once to the tomcat-trust then the individual multi-server cert to tomcat. The root was missing from that bundle. Going out to their website and downloading the root, G2 root in this case, and uploading it to tomcat-trust was all I needed to do.</div><div><br></div><div>Maybe the customer didn't provide me with the file containing the entire chain but I remember vaguely this happening on previous jobs with Go Daddy.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 17, 2016 at 8:35 AM, Anthony Holloway <span dir="ltr"><<a href="mailto:avholloway+cisco-voip@gmail.com" target="_blank">avholloway+cisco-voip@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks for replying. Did you use a public CA or private CA? And did you upload all certs in the chain (sans the root) as one file, or as separate files?</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 16, 2016 at 8:06 PM, Erick Wellnitz <span dir="ltr"><<a href="mailto:ewellnitzvoip@gmail.com" target="_blank">ewellnitzvoip@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><p dir="ltr">The root CA cert wasn't uploaded. The bundle the CA provided didn't contain the root for whatever reason. Once the root was in place and after a tomcat restart everything started working properly.</p>
<p dir="ltr">So, the whole thing was caused by not paying close enough attention to what got added to romcat-trust after the cert bundle upload.</p><div><div>
<div class="gmail_quote">On Mar 16, 2016 4:35 PM, "Anthony Holloway" <<a href="mailto:avholloway%2Bcisco-voip@gmail.com" target="_blank">avholloway+cisco-voip@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div dir="ltr">What do you mean? Was it simply not uploaded to the Tomcat Trust? Or was the cert bad?</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 14, 2016 at 3:31 PM, Erick Wellnitz <span dir="ltr"><<a href="mailto:ewellnitzvoip@gmail.com" target="_blank">ewellnitzvoip@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div dir="ltr"><div>It was the root ca cert causing this. </div><div><br></div><div>Thanks everyone for the input</div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 14, 2016 at 1:44 PM, Ryan Huff <span dir="ltr"><<a href="mailto:ryanhuff@outlook.com" target="_blank">ryanhuff@outlook.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div dir="auto">
<div>Correct; tomcat-trust is the trust store where the trusted CA chain goes and then the server certificate goes in the tomcat category.</div>
<div><br>
</div>
<div>Afterwards; you should only need a restart of tomcat services. However, if the nodes are having issues trusting one another within the cluster (assuming that your issue is a cert trust issue); left that way long enough will likely
start to cause replication issues within the cluster.</div>
<div><br>
</div>
<div>After you resolve the issue, I would verify db replication is healthy.<br>
<br>
Sent from my iPhone</div>
<div><br>
On Mar 14, 2016, at 3:38 PM, Erick Wellnitz <<a href="mailto:ewellnitzvoip@gmail.com" target="_blank">ewellnitzvoip@gmail.com</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div dir="ltr">
<div>I did that as well but I'm not 100% sure if the entire Root CA chain got installed. I'll check that.</div>
<div><br>
</div>
<div>What made me try inserting the multi-server SAN into the tomcat-trust is that the IM&P entries for tomcat-trust have vanished. Maybe I'm mis-remembering seeing them there in the first place.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Mar 14, 2016 at 12:54 PM, Anthony Holloway <span dir="ltr">
<<a href="mailto:avholloway+cisco-voip@gmail.com" target="_blank">avholloway+cisco-voip@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div dir="ltr">Just to clarify, your Multi-Server SAN cert should be installed to Tomcat and not Tomcat Trust. The signing CA cert should go in Tomcat Trust. Is that what you meant to say you did?</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Mar 14, 2016 at 1:47 PM, Erick Wellnitz <span dir="ltr">
<<a href="mailto:ewellnitzvoip@gmail.com" target="_blank">ewellnitzvoip@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div dir="ltr">
<div>I have a strange issue with CUCM 11.0.1 and IM&P 11.0.1</div>
<div><br>
</div>
<div>We installed the multi-server SAN cert for tomcat and now the IM&P data monitor service is in an unknown state according to the system troubleshooter.</div>
<div><br>
</div>
<div>The SAN cert is installed to tomcat-trust so it shouldn't be a cert issue. Done service restarts, reboots and nothing seems to resolve this.</div>
<div><br>
</div>
<div>Anyone seen something like this before?</div>
<div><br>
</div>
<div>Thanks in advance!</div>
</div>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank" rel="noreferrer">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>cisco-voip mailing list</span><br>
<span><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a></span><br>
<span><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a></span><br>
</div>
</blockquote>
</div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</blockquote></div>
</div></div></blockquote></div><br></div>
</blockquote></div><br></div>