<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body dir="auto">
I will likely be opening a case for this. We had a few. Our workstations are not configured to not get root very updates I’ve been told.
<div><br>
</div>
<div>We’ve only had a few cases. </div>
<div><br>
</div>
<div>Not sure this hasn’t made it to an advisory or bug or something. </div>
<div><br>
<div dir="ltr">Sent from my iPhone</div>
<div dir="ltr"><br>
<blockquote type="cite">On Nov 29, 2021, at 1:04 PM, Riley, Sean <SRiley@robinsonbradshaw.com> wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:843324650;
mso-list-type:hybrid;
mso-list-template-ids:974661916 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<p></p>
<div style="background-color:#FFEB9C; width:100%; border-style: solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align: left;">
<span style="font-weight:bold;">CAUTION:</span> This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca</div>
<br>
<p></p>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Did anyone come up with a solution to this, other than to tell the users to Accept the Cert?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">We are completely on prem with no webex services. Clients are v 12.9.6. I was able to reproduce the issue once using a test user account, but have not been
able to reproduce since, even after a Jabber reset. Most of my team is running Jabber v 14.x and we have not seen the cert warning.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Does a user declining the cert add it to the Untrusted Certificates store in Windows? Maybe that takes priority over a cert in the trusted store?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I have done the following, but we still have sporadic reports of the certificate warning from Jabber:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Ensured the new IdenTrust Commercial Root CA 1 was in CUCM and services restarted on CUCM and IM&P.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Added the HydrantID Server CA O1 to the computers trusted store via GPO.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> cisco-voip <cisco-voip-bounces@puck.nether.net>
<b>On Behalf Of </b>Lelio Fulgenzi<br>
<b>Sent:</b> Friday, November 12, 2021 3:17 PM<br>
<b>To:</b> Lelio Fulgenzi <lelio@uoguelph.ca>; Gary Parker <G.J.Parker@lboro.ac.uk>; Brian V <bvanbens@gmail.com><br>
<b>Cc:</b> cisco-voip@puck.nether.net<br>
<b>Subject:</b> Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Darn it. We've started seeing the alerts for some reason. <br>
<br>
Can we just tell people to accept? Argh.<br>
<br>
<br>
-----Original Message-----<br>
From: cisco-voip <<a href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a>> On Behalf Of Lelio Fulgenzi<br>
Sent: Friday, November 12, 2021 8:45 AM<br>
To: Gary Parker <<a href="mailto:G.J.Parker@lboro.ac.uk">G.J.Parker@lboro.ac.uk</a>>; Brian V <<a href="mailto:bvanbens@gmail.com">bvanbens@gmail.com</a>><br>
Cc: <a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert<br>
<br>
(a) do this<br>
(b) don't do this<br>
<br>
Is my favourite part!<br>
<br>
I remember when I first started, I had opened a case, then another, and got two very conflicting opinions from the TAC<br>
<br>
(a) TAC suggests using the T train for voice gateways<br>
(b) The TAC suggests staying away from T train for voice gateways<br>
<br>
Or something like that.<br>
<br>
When you're first starting out and have a crush on Cisco, it's very had to work through that.<br>
<br>
<br>
-----Original Message-----<br>
From: Gary Parker <<a href="mailto:G.J.Parker@lboro.ac.uk">G.J.Parker@lboro.ac.uk</a>>
<br>
Sent: Friday, November 12, 2021 5:24 AM<br>
To: Brian V <<a href="mailto:bvanbens@gmail.com">bvanbens@gmail.com</a>><br>
Cc: Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca">lelio@uoguelph.ca</a>>; NateCCIE <<a href="mailto:nateccie@gmail.com">nateccie@gmail.com</a>>; Johnson, Tim <<a href="mailto:johns10t@cmich.edu">johns10t@cmich.edu</a>>;
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert<br>
<br>
CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to
<a href="mailto:IThelp@uoguelph.ca">IThelp@uoguelph.ca</a><br>
<br>
<br>
Yeah, I had a suspicion at one point that this might be to do with the telemetry (which we’re sending), but the only reference I can find to the servers used for this is in the "Feature Configuration for Cisco Jabber 12.8†doc where it states that clients
connect to "metrics-a.wbx2.com†(also mentioning that you must install a GoDaddy root cert).<br>
<br>
We’ve been sending telemetry for some time and have not had this problem before, and the cert the client is erroring on is idbroker.webex.com (with the IdenTrust root).<br>
<br>
Fwiw, metrics-a.wbx2.com is a cname for ha-a-main.wbx2.com, which in turn is a cname for achm-main-ha-a-nlb-1d0e22049c746ef1.elb.us-east-2.amazonaws.com<br>
<br>
metrics-a.wbx2.com *does* have a GoDaddy root cert, and a wildcard server cert.<br>
<br>
What a mess!<br>
<br>
That bug also says:<br>
<br>
"b) Disable the telemetry call to Webex in the jabber-config xmlâ€<br>
<br>
…but then goes on to say:<br>
<br>
"This error/popup is not related to Telemetry. Even if you disable Telemetry on Jabber certificate pop up will continue to show.â€<br>
<br>
¯\_(ツ)_/¯ <br>
<br>
Gary<br>
<br>
> On 11 Nov 2021, at 22:57, Brian V <<a href="mailto:bvanbens@gmail.com">bvanbens@gmail.com</a>> wrote:<br>
> <br>
> Part of the workaround referenced in the Bug doesn't make sense. They reference adding some GoDaddy certs, but when you look at the URL they reference (*.wbx2.com) that is signed by Hydrant not Go Daddy.<br>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p>
</div>
<span>_______________________________________________</span><br>
<span>cisco-voip mailing list</span><br>
<span>cisco-voip@puck.nether.net</span><br>
<span>https://puck.nether.net/mailman/listinfo/cisco-voip</span><br>
</div>
</blockquote>
</div>
</body>
</html>