2028 is WAY too far in the future. No modern browser trusts a
publicly-issued certificate that is valid that far in the future. How
did you even get that certificate.
If you did a self signed, then that would explain why no browser
trusts it. Self signed is the "sovereign citizen" of certificates. You
need to get a certificate authority to sign your CSR.
https://knowledge.digicert.com/generalinformation/2-year_Certificate_Availability.html
--
Hunter Fuller (they)
Router Jockey
VBH M-1C
+1 256 824 5331
Office of Information Technology
The University of Alabama in Huntsville
Network Engineering
On Wed, May 24, 2023 at 11:01?AM Matthew Loraditch
<MLoraditch@heliontechnologies.com> wrote:
>
> It sounds like something is different between the old and new certs (besides the dates). As far as clients accessing Unity via a browser, the callmanager-trust certs are not involved. I’m not even sure they are used at all on a Unity server. I’ve never touched them.
>
>
>
> I would take a look at the old and new certs and make sure the subject and SAN fields are all the same. There can be a lot of reasons for cert errors and the errors are all similar and hard to diagnose without access to the browser throwing the error, but that’s the first thing I would check.
>
>
>
>
>
>
> Matthew Loraditch
> Sr. Network Engineer
> direct: 443.541.1518
> e: MLoraditch@heliontechnologies.com
> www.heliontechnologies.com
>
> From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Terry Oakley
> Sent: Wednesday, May 24, 2023 11:35 AM
> To: 'voip puck' <cisco-voip@puck.nether.net>
> Subject: [cisco-voip] Certificate issue and I am rubbish at certificates. (full disclosure)
>
>
>
> [EXTERNAL]
>
>
>
> On our Unity Connection server the certificates for Tomcat and Tomcat trust expired over the weekend, my oversight. I regenerated the certificates and both are now year 2028 expiry date. But we still get the same error if someone is trying to access their inbox (https://server/inbox/) (error is You cannot visit server right now because the website uses HSTS)
>
>
>
> I noticed that there is a CallManager-Trust certificate that expired on the same day as the Tomcat certs. The CallManager-Trust certificate is issued by the CA (CA signed) but when I go to Generate a CSR I don’t have the option to choose CallManager-Trust or Trust . I have Tomcat, Tomcat ecdsa or ipsec. The common name for the expired CallManager-Trust certificate is the UnityConnection server that users cannot get too. Little confused as to where this CallManager Trust certificate can be generated from.
>
>
>
>
>
> Thank you
>
>
>
> Terry
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
publicly-issued certificate that is valid that far in the future. How
did you even get that certificate.
If you did a self signed, then that would explain why no browser
trusts it. Self signed is the "sovereign citizen" of certificates. You
need to get a certificate authority to sign your CSR.
https://knowledge.digicert.com/generalinformation/2-year_Certificate_Availability.html
--
Hunter Fuller (they)
Router Jockey
VBH M-1C
+1 256 824 5331
Office of Information Technology
The University of Alabama in Huntsville
Network Engineering
On Wed, May 24, 2023 at 11:01?AM Matthew Loraditch
<MLoraditch@heliontechnologies.com> wrote:
>
> It sounds like something is different between the old and new certs (besides the dates). As far as clients accessing Unity via a browser, the callmanager-trust certs are not involved. I’m not even sure they are used at all on a Unity server. I’ve never touched them.
>
>
>
> I would take a look at the old and new certs and make sure the subject and SAN fields are all the same. There can be a lot of reasons for cert errors and the errors are all similar and hard to diagnose without access to the browser throwing the error, but that’s the first thing I would check.
>
>
>
>
>
>
> Matthew Loraditch
> Sr. Network Engineer
> direct: 443.541.1518
> e: MLoraditch@heliontechnologies.com
> www.heliontechnologies.com
>
> From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Terry Oakley
> Sent: Wednesday, May 24, 2023 11:35 AM
> To: 'voip puck' <cisco-voip@puck.nether.net>
> Subject: [cisco-voip] Certificate issue and I am rubbish at certificates. (full disclosure)
>
>
>
> [EXTERNAL]
>
>
>
> On our Unity Connection server the certificates for Tomcat and Tomcat trust expired over the weekend, my oversight. I regenerated the certificates and both are now year 2028 expiry date. But we still get the same error if someone is trying to access their inbox (https://server/inbox/) (error is You cannot visit server right now because the website uses HSTS)
>
>
>
> I noticed that there is a CallManager-Trust certificate that expired on the same day as the Tomcat certs. The CallManager-Trust certificate is issued by the CA (CA signed) but when I go to Generate a CSR I don’t have the option to choose CallManager-Trust or Trust . I have Tomcat, Tomcat ecdsa or ipsec. The common name for the expired CallManager-Trust certificate is the UnityConnection server that users cannot get too. Little confused as to where this CallManager Trust certificate can be generated from.
>
>
>
>
>
> Thank you
>
>
>
> Terry
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
