Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. VOIP
Wrong ITL cert on subscribers
PedersenE at bennettjones
Jun 10, 2020, 10:31 AM
Post #1 of 2 (575 views)
Permalink
We had to rebuild our CUCM 12.5 publisher. That part went ok, but now the subscribers have an ITLRecovery certificate that differs from the pub and are giving out an ITL file signed with that certificate. The publisher has the old, correct certificate which is got with the restore, but it looks like the subscribers for some reason got the ITL cert that the publisher generated after the build but before the restore. Phones are fine if the publisher is their TFTP server but reject the ITL file if a subscriber is their TFTP server.

TAC is saying we need to regenerate the ITL recovery certificate and then the ITL file which sounds extremely risky. I can't see why this would be necessary since the publisher certificate is correct. Does anyone have experience with an issue like this? Changing CUCM certificates always makes me nervous. My nightmare situation is that we would have to factory reset all the phones.

Eric

Bennett Jones is committed to mitigating the spread of COVID-19. We have
transitioned to a remote work environment and continue to provide
complete and uninterrupted service to our clients. Visit our COVID-19
Resource Centre (https://www.bennettjones.com/COVID-19) for timely
legal updates.

The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication,
e-mail communications may be vulnerable to interception by unauthorized
parties. If you do not wish us to communicate with you by e-mail, please
notify us at your earliest convenience. In the absence of such
notification, your consent is assumed. Should you choose to allow us to
communicate by e-mail, we will not take any additional security measures
(such as encryption) unless specifically requested.

If you no longer wish to receive commercial messages, you can unsubscribe
by accessing this link: http://www.bennettjones.com/unsubscribe
Re: Wrong ITL cert on subscribers [ In reply to ]
lelio at uoguelph
Jun 10, 2020, 11:09 AM
Post #2 of 2 (575 views)
Permalink
One option is to use the Pre-8.0 enterprise field. If you get all your phones registered correctly, ie using your publisher as TFTP, you can then disable (or enable?) that enterprise parameter which requires a reboot of the phones. Then, you can update all your certs, itl/ctl files and the flip the pre-8.0 parameter.

Or something like that. IT’s what is typically done when you rebuild a cluster offline or move clusters.

We’ve used this in the past a number of times.

Lelio


From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Eric Pedersen
Sent: Wednesday, June 10, 2020 1:32 PM
To: cisco-voip (cisco-voip@puck.nether.net) <cisco-voip@puck.nether.net>
Subject: [cisco-voip] Wrong ITL cert on subscribers

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca<mailto:IThelp@uoguelph.ca>

We had to rebuild our CUCM 12.5 publisher. That part went ok, but now the subscribers have an ITLRecovery certificate that differs from the pub and are giving out an ITL file signed with that certificate. The publisher has the old, correct certificate which is got with the restore, but it looks like the subscribers for some reason got the ITL cert that the publisher generated after the build but before the restore. Phones are fine if the publisher is their TFTP server but reject the ITL file if a subscriber is their TFTP server.

TAC is saying we need to regenerate the ITL recovery certificate and then the ITL file which sounds extremely risky. I can't see why this would be necessary since the publisher certificate is correct. Does anyone have experience with an issue like this? Changing CUCM certificates always makes me nervous. My nightmare situation is that we would have to factory reset all the phones.

Eric


Bennett Jones is committed to mitigating the spread of COVID-19. We have transitioned to a remote work environment and continue to provide complete and uninterrupted service to our clients. Visit our COVID-19 Resource Centre (https://www.bennettjones.com/COVID-19) for timely legal updates.

The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested.

If you no longer wish to receive commercial messages, you can unsubscribe by accessing this link: http://www.bennettjones.com/unsubscribe

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal