Mailing List Archive

Quick follow-up: I’ve heard from another site (off-list) suffering this now, too.

Gary

> On 11 Nov 2021, at 16:13, Gary Parker <G.J.Parker@lboro.ac.uk> wrote:
>
> Thanks Tim, likewise: glad it’s not just us!
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq73203

-----Original Message-----
From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Gary Parker
Sent: Thursday, November 11, 2021 1:45 PM
To: Johnson, Tim <johns10t@cmich.edu>
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

Quick follow-up: I’ve heard from another site (off-list) suffering this now, too.

Gary

> On 11 Nov 2021, at 16:13, Gary Parker <G.J.Parker@lboro.ac.uk> wrote:
>
> Thanks Tim, likewise: glad it’s not just us!
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Ok. This all points to desktops not accepting root certificate updates from what I can tell.

I just checked with my contact and ask about this on our site and he said there is no blocking of root certs being downloaded.

I'm going to guess then that I'm ok.

I mean, I haven't heard anything yet either, so that's a good sign.

This can only get better when we move to 30 day certs, right?

ACME for the WIN

-----Original Message-----
From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of NateCCIE
Sent: Thursday, November 11, 2021 4:26 PM
To: 'Gary Parker' <G.J.Parker@lboro.ac.uk>; 'Johnson, Tim' <johns10t@cmich.edu>
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca


https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq73203

-----Original Message-----
From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Gary Parker
Sent: Thursday, November 11, 2021 1:45 PM
To: Johnson, Tim <johns10t@cmich.edu>
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

Quick follow-up: I’ve heard from another site (off-list) suffering this now, too.

Gary

> On 11 Nov 2021, at 16:13, Gary Parker <G.J.Parker@lboro.ac.uk> wrote:
>
> Thanks Tim, likewise: glad it’s not just us!
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Part of the workaround referenced in the Bug doesn't make sense. They
reference adding some GoDaddy certs, but when you look at the URL they
reference (*.wbx2.com) that is signed by Hydrant not Go Daddy.
See images below
[image: image.png]

[image: image.png]

On Thu, Nov 11, 2021 at 3:48 PM Lelio Fulgenzi <lelio@uoguelph.ca> wrote:

> Ok. This all points to desktops not accepting root certificate updates
> from what I can tell.
>
> I just checked with my contact and ask about this on our site and he said
> there is no blocking of root certs being downloaded.
>
> I'm going to guess then that I'm ok.
>
> I mean, I haven't heard anything yet either, so that's a good sign.
>
> This can only get better when we move to 30 day certs, right?
>
> ACME for the WIN
>
> -----Original Message-----
> From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of
> NateCCIE
> Sent: Thursday, November 11, 2021 4:26 PM
> To: 'Gary Parker' <G.J.Parker@lboro.ac.uk>; 'Johnson, Tim' <
> johns10t@cmich.edu>
> Cc: cisco-voip@puck.nether.net
> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex
> Cert
>
> CAUTION: This email originated from outside of the University of Guelph.
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe. If in doubt, forward suspicious emails to
> IThelp@uoguelph.ca
>
>
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq73203
>
> -----Original Message-----
> From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Gary
> Parker
> Sent: Thursday, November 11, 2021 1:45 PM
> To: Johnson, Tim <johns10t@cmich.edu>
> Cc: cisco-voip@puck.nether.net
> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex
> Cert
>
> Quick follow-up: I’ve heard from another site (off-list) suffering this
> now, too.
>
> Gary
>
> > On 11 Nov 2021, at 16:13, Gary Parker <G.J.Parker@lboro.ac.uk> wrote:
> >
> > Thanks Tim, likewise: glad it’s not just us!
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>

Yeah, I had a suspicion at one point that this might be to do with the telemetry (which we’re sending), but the only reference I can find to the servers used for this is in the "Feature Configuration for Cisco Jabber 12.8” doc where it states that clients connect to "metrics-a.wbx2.com” (also mentioning that you must install a GoDaddy root cert).

We’ve been sending telemetry for some time and have not had this problem before, and the cert the client is erroring on is idbroker.webex.com (with the IdenTrust root).

Fwiw, metrics-a.wbx2.com is a cname for ha-a-main.wbx2.com, which in turn is a cname for achm-main-ha-a-nlb-1d0e22049c746ef1.elb.us-east-2.amazonaws.com

metrics-a.wbx2.com *does* have a GoDaddy root cert, and a wildcard server cert.

What a mess!

That bug also says:

"b) Disable the telemetry call to Webex in the jabber-config xml”

…but then goes on to say:

"This error/popup is not related to Telemetry. Even if you disable Telemetry on Jabber certificate pop up will continue to show.”

¯\_(?)_/¯

Gary

> On 11 Nov 2021, at 22:57, Brian V <bvanbens@gmail.com> wrote:
>
> Part of the workaround referenced in the Bug doesn't make sense. They reference adding some GoDaddy certs, but when you look at the URL they reference (*.wbx2.com) that is signed by Hydrant not Go Daddy.

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

(a) do this
(b) don't do this

Is my favourite part!

I remember when I first started, I had opened a case, then another, and got two very conflicting opinions from the TAC

(a) TAC suggests using the T train for voice gateways
(b) The TAC suggests staying away from T train for voice gateways

Or something like that.

When you're first starting out and have a crush on Cisco, it's very had to work through that.


-----Original Message-----
From: Gary Parker <G.J.Parker@lboro.ac.uk>
Sent: Friday, November 12, 2021 5:24 AM
To: Brian V <bvanbens@gmail.com>
Cc: Lelio Fulgenzi <lelio@uoguelph.ca>; NateCCIE <nateccie@gmail.com>; Johnson, Tim <johns10t@cmich.edu>; cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca


Yeah, I had a suspicion at one point that this might be to do with the telemetry (which we’re sending), but the only reference I can find to the servers used for this is in the "Feature Configuration for Cisco Jabber 12.8” doc where it states that clients connect to "metrics-a.wbx2.com” (also mentioning that you must install a GoDaddy root cert).

We’ve been sending telemetry for some time and have not had this problem before, and the cert the client is erroring on is idbroker.webex.com (with the IdenTrust root).

Fwiw, metrics-a.wbx2.com is a cname for ha-a-main.wbx2.com, which in turn is a cname for achm-main-ha-a-nlb-1d0e22049c746ef1.elb.us-east-2.amazonaws.com

metrics-a.wbx2.com *does* have a GoDaddy root cert, and a wildcard server cert.

What a mess!

That bug also says:

"b) Disable the telemetry call to Webex in the jabber-config xml”

…but then goes on to say:

"This error/popup is not related to Telemetry. Even if you disable Telemetry on Jabber certificate pop up will continue to show.”

¯\_(?)_/¯

Gary

> On 11 Nov 2021, at 22:57, Brian V <bvanbens@gmail.com> wrote:
>
> Part of the workaround referenced in the Bug doesn't make sense. They reference adding some GoDaddy certs, but when you look at the URL they reference (*.wbx2.com) that is signed by Hydrant not Go Daddy.

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Darn it. We've started seeing the alerts for some reason.

Can we just tell people to accept? Argh.


-----Original Message-----
From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Lelio Fulgenzi
Sent: Friday, November 12, 2021 8:45 AM
To: Gary Parker <G.J.Parker@lboro.ac.uk>; Brian V <bvanbens@gmail.com>
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

(a) do this
(b) don't do this

Is my favourite part!

I remember when I first started, I had opened a case, then another, and got two very conflicting opinions from the TAC

(a) TAC suggests using the T train for voice gateways
(b) The TAC suggests staying away from T train for voice gateways

Or something like that.

When you're first starting out and have a crush on Cisco, it's very had to work through that.


-----Original Message-----
From: Gary Parker <G.J.Parker@lboro.ac.uk>
Sent: Friday, November 12, 2021 5:24 AM
To: Brian V <bvanbens@gmail.com>
Cc: Lelio Fulgenzi <lelio@uoguelph.ca>; NateCCIE <nateccie@gmail.com>; Johnson, Tim <johns10t@cmich.edu>; cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca


Yeah, I had a suspicion at one point that this might be to do with the telemetry (which we’re sending), but the only reference I can find to the servers used for this is in the "Feature Configuration for Cisco Jabber 12.8” doc where it states that clients connect to "metrics-a.wbx2.com” (also mentioning that you must install a GoDaddy root cert).

We’ve been sending telemetry for some time and have not had this problem before, and the cert the client is erroring on is idbroker.webex.com (with the IdenTrust root).

Fwiw, metrics-a.wbx2.com is a cname for ha-a-main.wbx2.com, which in turn is a cname for achm-main-ha-a-nlb-1d0e22049c746ef1.elb.us-east-2.amazonaws.com

metrics-a.wbx2.com *does* have a GoDaddy root cert, and a wildcard server cert.

What a mess!

That bug also says:

"b) Disable the telemetry call to Webex in the jabber-config xml”

…but then goes on to say:

"This error/popup is not related to Telemetry. Even if you disable Telemetry on Jabber certificate pop up will continue to show.”

¯\_(?)_/¯

Gary

> On 11 Nov 2021, at 22:57, Brian V <bvanbens@gmail.com> wrote:
>
> Part of the workaround referenced in the Bug doesn't make sense. They reference adding some GoDaddy certs, but when you look at the URL they reference (*.wbx2.com) that is signed by Hydrant not Go Daddy.

_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip