Mailing List Archive

MVP

But why restart TFTP?

On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <hf0002@uah.edu> wrote:

> All,
>
> If you use certs whose trust is derived from the Sectigo root that expired
> today, and your MRA isn’t working, I’ll try to save you a call to TAC.
>
> Do all of these things:
>
> - Load the new intermediates and root into callmanager-trust and
> tomcat-trust on all your UCMs
> - restart tomcat, tftp, and callmanager on those boxes
> - load the new intermediates and root into the CA trust store on all
> expressways
> - reboot the Expressway-Es
>
> If you need more detail or help, let me know, we just got off the phone
> with TAC. Hope it helps.
>
> --
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>

Hunter,

I might be exposing a gap in my knowledge here, but why did you need these
certs on CUCM?

Cisco has now published a troubleshooting guide for this issue, and the
article does not mention modifying CUCM cert store.

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/215561-troubleshooting-expressway-mra-login-and.html

On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <hf0002@uah.edu> wrote:

> All,
>
> If you use certs whose trust is derived from the Sectigo root that expired
> today, and your MRA isn’t working, I’ll try to save you a call to TAC.
>
> Do all of these things:
>
> - Load the new intermediates and root into callmanager-trust and
> tomcat-trust on all your UCMs
> - restart tomcat, tftp, and callmanager on those boxes
> - load the new intermediates and root into the CA trust store on all
> expressways
> - reboot the Expressway-Es
>
> If you need more detail or help, let me know, we just got off the phone
> with TAC. Hope it helps.
>
> --
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>

Actually, I'm starting to think on this some more, I think it might be
because of two facts, but please confirm:

1) You signed your C certs with a public CA which leverages these expired
CA certs
2) You enabled TLS verification between CUCM and C (both MRA and B2B?)

I don't typically see encryption on the inside like this, though, I do see
it mentioned in the steps for MRA as if it were a requirement (e.g., how it
says to copy the names of the phone sec prof for the cert). Though, I also
don't see a lot of B2B deployments where you might want E2E encryption
either.

On Wed, Jun 3, 2020 at 8:28 AM Anthony Holloway <
avholloway+cisco-voip@gmail.com> wrote:

> Hunter,
>
> I might be exposing a gap in my knowledge here, but why did you need these
> certs on CUCM?
>
> Cisco has now published a troubleshooting guide for this issue, and the
> article does not mention modifying CUCM cert store.
>
>
> https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/215561-troubleshooting-expressway-mra-login-and.html
>
> On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <hf0002@uah.edu> wrote:
>
>> All,
>>
>> If you use certs whose trust is derived from the Sectigo root that
>> expired today, and your MRA isn’t working, I’ll try to save you a call to
>> TAC.
>>
>> Do all of these things:
>>
>> - Load the new intermediates and root into callmanager-trust and
>> tomcat-trust on all your UCMs
>> - restart tomcat, tftp, and callmanager on those boxes
>> - load the new intermediates and root into the CA trust store on all
>> expressways
>> - reboot the Expressway-Es
>>
>> If you need more detail or help, let me know, we just got off the phone
>> with TAC. Hope it helps.
>>
>> --
>>
>> --
>> Hunter Fuller (they)
>> Router Jockey
>> VBH Annex B-5
>> +1 256 824 5331
>>
>> Office of Information Technology
>> The University of Alabama in Huntsville
>> Network Engineering
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>

If you had previously installed the certs on CUCM CUP CUC and CER as we
did, they would also have expired.

On Wed, Jun 3, 2020 at 7:34 AM Anthony Holloway <
avholloway+cisco-voip@gmail.com> wrote:

> CAUTION: This email originated from outside of the University of
> Saskatchewan. Do not click links or open attachments unless you recognize
> the sender and know the content is safe. If in doubt, please forward
> suspicious emails to phishing@usask.ca
>
> Hunter,
>
> I might be exposing a gap in my knowledge here, but why did you need these
> certs on CUCM?
>
> Cisco has now published a troubleshooting guide for this issue, and the
> article does not mention modifying CUCM cert store.
>
>
> https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/215561-troubleshooting-expressway-mra-login-and.html
>
> On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <hf0002@uah.edu> wrote:
>
>> All,
>>
>> If you use certs whose trust is derived from the Sectigo root that
>> expired today, and your MRA isn’t working, I’ll try to save you a call to
>> TAC.
>>
>> Do all of these things:
>>
>> - Load the new intermediates and root into callmanager-trust and
>> tomcat-trust on all your UCMs
>> - restart tomcat, tftp, and callmanager on those boxes
>> - load the new intermediates and root into the CA trust store on all
>> expressways
>> - reboot the Expressway-Es
>>
>> If you need more detail or help, let me know, we just got off the phone
>> with TAC. Hope it helps.
>>
>> --
>>
>> --
>> Hunter Fuller (they)
>> Router Jockey
>> VBH Annex B-5
>> +1 256 824 5331
>>
>> Office of Information Technology
>> The University of Alabama in Huntsville
>> Network Engineering
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>

--
Copyright 2020 Derek Andrew (excluding quotations)

+1 306 966 4808
Communication and Network Services
Information and Communications Technology

*University of Saskatchewan*Peterson 120; 54 Innovation Boulevard
Saskatoon,Saskatchewan,Canada. S7N 2V3
Timezone GMT-6

Typed but not read.

True, however, if they're not being used, it causes no issue, correct?
Much like the expiring root cert of Feb 2020 for Smart Call Home.

On Wed, Jun 3, 2020 at 9:20 AM Derek Andrew <Derek.Andrew@usask.ca> wrote:

> If you had previously installed the certs on CUCM CUP CUC and CER as we
> did, they would also have expired.
>
> On Wed, Jun 3, 2020 at 7:34 AM Anthony Holloway <
> avholloway+cisco-voip@gmail.com> wrote:
>
>> CAUTION: This email originated from outside of the University of
>> Saskatchewan. Do not click links or open attachments unless you recognize
>> the sender and know the content is safe. If in doubt, please forward
>> suspicious emails to phishing@usask.ca
>>
>> Hunter,
>>
>> I might be exposing a gap in my knowledge here, but why did you need
>> these certs on CUCM?
>>
>> Cisco has now published a troubleshooting guide for this issue, and the
>> article does not mention modifying CUCM cert store.
>>
>>
>> https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/215561-troubleshooting-expressway-mra-login-and.html
>>
>> On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <hf0002@uah.edu> wrote:
>>
>>> All,
>>>
>>> If you use certs whose trust is derived from the Sectigo root that
>>> expired today, and your MRA isn’t working, I’ll try to save you a call to
>>> TAC.
>>>
>>> Do all of these things:
>>>
>>> - Load the new intermediates and root into callmanager-trust and
>>> tomcat-trust on all your UCMs
>>> - restart tomcat, tftp, and callmanager on those boxes
>>> - load the new intermediates and root into the CA trust store on all
>>> expressways
>>> - reboot the Expressway-Es
>>>
>>> If you need more detail or help, let me know, we just got off the phone
>>> with TAC. Hope it helps.
>>>
>>> --
>>>
>>> --
>>> Hunter Fuller (they)
>>> Router Jockey
>>> VBH Annex B-5
>>> +1 256 824 5331
>>>
>>> Office of Information Technology
>>> The University of Alabama in Huntsville
>>> Network Engineering
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>
>
> --
> Copyright 2020 Derek Andrew (excluding quotations)
>
> +1 306 966 4808
> Communication and Network Services
> Information and Communications Technology
>
> *University of Saskatchewan*Peterson 120; 54 Innovation Boulevard
> Saskatoon,Saskatchewan,Canada. S7N 2V3
> Timezone GMT-6
>
> Typed but not read.
>
>

This is the boat we were in as well, and I’ve learned some lessons here.

The bug that I posted about for Jabber mobile devices got me – since we’re MRA only I thought I broke it again and it took a while to figure out why. The bugs in Expressway <X12.5.7 where replication fails for CPL and the login banner got me for a while thinking I’d just broken the cluster due to the replication failed alarms. I nearly forgot to reset all the phones after restarting TVS but … well fool me once on that one.

I learned that the Expressway doesn’t have any real certificate “monitor”, and if you put an EC cert from an intermediate into the ipsec-trust keychain you will break that service, it will just core endlessly.

How is everyone keeping track of the certificates that they have out there, and that they’re coming up due for replacement? Outlook calendars are no good, and neither are the notices from the issuing CA. I have to be missing something obvious.

Best,

Adam

From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Derek Andrew
Sent: Wednesday, June 3, 2020 10:20 AM
To: Anthony Holloway <avholloway+cisco-voip@gmail.com>
Cc: voyp list, cisco-voip (cisco-voip@puck.nether.net) <cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] Resolving Sectigo root expiration affecting MRA

If you had previously installed the certs on CUCM CUP CUC and CER as we did, they would also have expired.

On Wed, Jun 3, 2020 at 7:34 AM Anthony Holloway <avholloway+cisco-voip@gmail.com<mailto:avholloway%2Bcisco-voip@gmail.com>> wrote:
CAUTION: This email originated from outside of the University of Saskatchewan. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, please forward suspicious emails to phishing@usask.ca<mailto:phishing@usask.ca>

Hunter,

I might be exposing a gap in my knowledge here, but why did you need these certs on CUCM?

Cisco has now published a troubleshooting guide for this issue, and the article does not mention modifying CUCM cert store.

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/215561-troubleshooting-expressway-mra-login-and.html

On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <hf0002@uah.edu<mailto:hf0002@uah.edu>> wrote:
All,

If you use certs whose trust is derived from the Sectigo root that expired today, and your MRA isn’t working, I’ll try to save you a call to TAC.

Do all of these things:

- Load the new intermediates and root into callmanager-trust and tomcat-trust on all your UCMs
- restart tomcat, tftp, and callmanager on those boxes
- load the new intermediates and root into the CA trust store on all expressways
- reboot the Expressway-Es

If you need more detail or help, let me know, we just got off the phone with TAC. Hope it helps.

--

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


--
Copyright 2020 Derek Andrew (excluding quotations)

+1 306 966 4808
Communication and Network Services
Information and Communications Technology
University of Saskatchewan
Peterson 120; 54 Innovation Boulevard
Saskatoon,Saskatchewan,Canada. S7N 2V3
Timezone GMT-6

Typed but not read.

Yeah, good question. Certificate monitor in cucm (and others) is really
handy for this, but I've also seen it fail due to a defect.

I wonder if the one cisco is using in cucm (and others) is the #8 one
listed in this article:
https://geekflare.com/monitor-ssl-certificate-expiry/

Either way, there's a few other cloud and on-prem solutions mentioned in
that link.

On Wed, Jun 3, 2020 at 1:24 PM Pawlowski, Adam <ajp26@buffalo.edu> wrote:

> This is the boat we were in as well, and I’ve learned some lessons here.
>
>
>
> The bug that I posted about for Jabber mobile devices got me – since we’re
> MRA only I thought I broke it again and it took a while to figure out why.
> The bugs in Expressway <X12.5.7 where replication fails for CPL and the
> login banner got me for a while thinking I’d just broken the cluster due to
> the replication failed alarms. I nearly forgot to reset all the phones
> after restarting TVS but … well fool me once on that one.
>
>
>
> I learned that the Expressway doesn’t have any real certificate “monitor”,
> and if you put an EC cert from an intermediate into the ipsec-trust
> keychain you will break that service, it will just core endlessly.
>
>
>
> How is everyone keeping track of the certificates that they have out
> there, and that they’re coming up due for replacement? Outlook calendars
> are no good, and neither are the notices from the issuing CA. I have to be
> missing something obvious.
>
>
>
> Best,
>
>
>
> Adam
>
>
>
> *From:* cisco-voip <cisco-voip-bounces@puck.nether.net> *On Behalf Of *Derek
> Andrew
> *Sent:* Wednesday, June 3, 2020 10:20 AM
> *To:* Anthony Holloway <avholloway+cisco-voip@gmail.com>
> *Cc:* voyp list, cisco-voip (cisco-voip@puck.nether.net) <
> cisco-voip@puck.nether.net>
> *Subject:* Re: [cisco-voip] Resolving Sectigo root expiration affecting
> MRA
>
>
>
> If you had previously installed the certs on CUCM CUP CUC and CER as we
> did, they would also have expired.
>
>
>
> On Wed, Jun 3, 2020 at 7:34 AM Anthony Holloway <
> avholloway+cisco-voip@gmail.com> wrote:
>
> CAUTION: This email originated from outside of the University of
> Saskatchewan. Do not click links or open attachments unless you recognize
> the sender and know the content is safe. If in doubt, please forward
> suspicious emails to phishing@usask.ca
>
>
>
> Hunter,
>
>
>
> I might be exposing a gap in my knowledge here, but why did you need these
> certs on CUCM?
>
>
>
> Cisco has now published a troubleshooting guide for this issue, and the
> article does not mention modifying CUCM cert store.
>
>
>
>
> https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/215561-troubleshooting-expressway-mra-login-and.html
>
>
>
> On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <hf0002@uah.edu> wrote:
>
> All,
>
>
>
> If you use certs whose trust is derived from the Sectigo root that expired
> today, and your MRA isn’t working, I’ll try to save you a call to TAC.
>
>
>
> Do all of these things:
>
>
>
> - Load the new intermediates and root into callmanager-trust and
> tomcat-trust on all your UCMs
>
> - restart tomcat, tftp, and callmanager on those boxes
>
> - load the new intermediates and root into the CA trust store on all
> expressways
>
> - reboot the Expressway-Es
>
>
>
> If you need more detail or help, let me know, we just got off the phone
> with TAC. Hope it helps.
>
>
>
> --
>
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> --
>
> Copyright 2020 Derek Andrew (excluding quotations)
>
> +1 306 966 4808
>
> Communication and Network Services
>
> Information and Communications Technology
>
>
> *University of Saskatchewan *Peterson 120; 54 Innovation Boulevard
> Saskatoon,Saskatchewan,Canada. S7N 2V3
> Timezone GMT-6
>
>
>
> Typed but not read.
>