Mailing List Archive: Jabber Users Prompted To Accept Webex Cert

Jabber Users Prompted To Accept Webex Cert

Nov 11, 2021, 3:09 AM

Post #1 of 3 (2694 views)

Morning all, a few years back we had a problem where lots of our managed Windows service users were complaining that their Jabber clients had started rejecting a certificate offered by idbroker.webex.com

This thread on community.cisco.com (https://community.cisco.com/t5/unified-communications/jabber-idbroker-webex-com-certificate-request-during-the-first/td-p/3216376) showed we weren’t the only ones, but that it seemed limited to managed clients.

We solved this by adding the EXCLUDED_SERVICES=WEBEX flag to the installer on our managed clients.

Fast forward to today and we suddenly have a load of service desk cases from users again. Nothing has changed in our configuration of Jabber client, IM&P servers or expressways. The clients haven’t been updated recently, and this time we’re also seeing the “Certificate not valid” pop-up on unmanaged Windows machines as well as our managed service. The cert that’s being rejected has validity start date of late September, so it doesn’t appear to be a cert that’s only just been brought into use.

Is anyone else seeing this today?

As a workaround I’ve added:

<ServiceDiscoveryExcludedServices>WEBEX</ServiceDiscoveryExcludedServices>

...to our jabber-config.xml, but that will require users to manually reset their clients. Not sure why I hadn’t done earlier ¯\_(?)_/¯
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: Jabber Users Prompted To Accept Webex Cert [ In reply to ]

scubajasona at gmail

Nov 11, 2021, 7:16 AM

Post #2 of 3 (2694 views)

Permalink

Webex clients update switched from the Quovadis Root CA which was older and
being retired, to the IdenTrust Root CA which it dates back to 2014. The
IdenTrust Root CA certificate is contained within the default trust store
of all major operating systems by default.

Not clear why IdenTrust is missing on your computers.

Guessing maybe you disabled automatic root updates at some point or don’t
have Windows updates running ?
https://serverfault.com/questions/752146/why-are-many-admins-using-turn-off-automatic-root-certificates-update-policy

Cisco Field Notice we didn’t notice

https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72120.html

On Thu, Nov 11, 2021 at 6:22 AM Gary Parker <G.J.Parker@lboro.ac.uk> wrote:

> Morning all, a few years back we had a problem where lots of our managed
> Windows service users were complaining that their Jabber clients had
> started rejecting a certificate offered by idbroker.webex.com
>
> This thread on community.cisco.com (
> https://community.cisco.com/t5/unified-communications/jabber-idbroker-webex-com-certificate-request-during-the-first/td-p/3216376)
> showed we weren’t the only ones, but that it seemed limited to managed
> clients.
>
> We solved this by adding the EXCLUDED_SERVICES=WEBEX flag to the installer
> on our managed clients.
>
> Fast forward to today and we suddenly have a load of service desk cases
> from users again. Nothing has changed in our configuration of Jabber
> client, IM&P servers or expressways. The clients haven’t been updated
> recently, and this time we’re also seeing the “Certificate not valid”
> pop-up on unmanaged Windows machines as well as our managed service. The
> cert that’s being rejected has validity start date of late September, so it
> doesn’t appear to be a cert that’s only just been brought into use.
>
> Is anyone else seeing this today?
>
> As a workaround I’ve added:
>
> <ServiceDiscoveryExcludedServices>WEBEX</ServiceDiscoveryExcludedServices>
>
> ...to our jabber-config.xml, but that will require users to manually reset
> their clients. Not sure why I hadn’t done earlier ¯\_(?)_/¯
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>

Re: Jabber Users Prompted To Accept Webex Cert [ In reply to ]

G.J.Parker at lboro

Nov 11, 2021, 8:11 AM

Post #3 of 3 (2694 views)

Permalink

Thanks Jason, I was aware of FN 72120 and figured that this may be associated (but not the cause); I guess Cisco have replaced a load of certs.

However:

- FN 72120 only relates to Android and iOS clients using push notifications, we’re only seeing this behaviour on Windows clients

- these clients are connecting to on-prem services, either directly or via expressway/MRA with EXCLUDED_SERVICES=WEBEX declared at install. The clients should not be attempting to contact Webex servers

- we’ve checked a number of clients and all have the correct IdenTrust root CA present (checked serial numbers)

- viewing the offered certificate within Jabber shows root, intermediate and server all okay

- browsing to https://idbroker.webex.com and examining the certificate shows the same, it’s only the Jabber application that rejects the certificate

Gary

> On 11 Nov 2021, at 15:12, Jason Aarons (Americas) <jason.aarons@global.ntt> wrote:
>
> Webex clients update switched from the Quovadis Root CA which was older and being retired, to the IdenTrust Root CA which it dates back to 2014. The IdenTrust Root CA certificate is contained within the default trust store of all major operating systems by default.
>
> Not clear why IdenTrust is missing on your computers.
>
> Guessing maybe you disabled automatic root updates at some point or don’t have Windows updates running ? https://serverfault.com/questions/752146/why-are-many-admins-using-turn-off-automatic-root-certificates-update-policy
>
> Cisco Field Notice we didn’t notice
> https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72120.html

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip