[prev in list] [next in list] [prev in thread] [next in thread]
List: cisco-voip
Subject: Re: [cisco-voip] Resolving Sectigo root expiration affecting MRA
From: Anthony Holloway <avholloway+cisco-voip () gmail ! com>
Date: 2020-06-03 20:54:56
Message-ID: CACRCJOieSfmGDmnfuH_DgQfhGOOgwQTwQh+9feJJiZtP5amhMg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Yeah, good question. Certificate monitor in cucm (and others) is really
handy for this, but I've also seen it fail due to a defect.
I wonder if the one cisco is using in cucm (and others) is the #8 one
listed in this article:
https://geekflare.com/monitor-ssl-certificate-expiry/
Either way, there's a few other cloud and on-prem solutions mentioned in
that link.
On Wed, Jun 3, 2020 at 1:24 PM Pawlowski, Adam <ajp26@buffalo.edu> wrote:
> This is the boat we were in as well, and I've learned some lessons here.
>
>
>
> The bug that I posted about for Jabber mobile devices got me – since we're
> MRA only I thought I broke it again and it took a while to figure out why.
> The bugs in Expressway <X12.5.7 where replication fails for CPL and the
> login banner got me for a while thinking I'd just broken the cluster due to
> the replication failed alarms. I nearly forgot to reset all the phones
> after restarting TVS but … well fool me once on that one.
>
>
>
> I learned that the Expressway doesn't have any real certificate "monitor",
> and if you put an EC cert from an intermediate into the ipsec-trust
> keychain you will break that service, it will just core endlessly.
>
>
>
> How is everyone keeping track of the certificates that they have out
> there, and that they're coming up due for replacement? Outlook calendars
> are no good, and neither are the notices from the issuing CA. I have to be
> missing something obvious.
>
>
>
> Best,
>
>
>
> Adam
>
>
>
> *From:* cisco-voip <cisco-voip-bounces@puck.nether.net> *On Behalf Of *Derek
> Andrew
> *Sent:* Wednesday, June 3, 2020 10:20 AM
> *To:* Anthony Holloway <avholloway+cisco-voip@gmail.com>
> *Cc:* voyp list, cisco-voip (cisco-voip@puck.nether.net) <
> cisco-voip@puck.nether.net>
> *Subject:* Re: [cisco-voip] Resolving Sectigo root expiration affecting
> MRA
>
>
>
> If you had previously installed the certs on CUCM CUP CUC and CER as we
> did, they would also have expired.
>
>
>
> On Wed, Jun 3, 2020 at 7:34 AM Anthony Holloway <
> avholloway+cisco-voip@gmail.com> wrote:
>
> CAUTION: This email originated from outside of the University of
> Saskatchewan. Do not click links or open attachments unless you recognize
> the sender and know the content is safe. If in doubt, please forward
> suspicious emails to phishing@usask.ca
>
>
>
> Hunter,
>
>
>
> I might be exposing a gap in my knowledge here, but why did you need these
> certs on CUCM?
>
>
>
> Cisco has now published a troubleshooting guide for this issue, and the
> article does not mention modifying CUCM cert store.
>
>
>
>
> https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/215561-troubleshooting-expressway-mra-login-and.html
>
>
>
> On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <hf0002@uah.edu> wrote:
>
> All,
>
>
>
> If you use certs whose trust is derived from the Sectigo root that expired
> today, and your MRA isn't working, I'll try to save you a call to TAC.
>
>
>
> Do all of these things:
>
>
>
> - Load the new intermediates and root into callmanager-trust and
> tomcat-trust on all your UCMs
>
> - restart tomcat, tftp, and callmanager on those boxes
>
> - load the new intermediates and root into the CA trust store on all
> expressways
>
> - reboot the Expressway-Es
>
>
>
> If you need more detail or help, let me know, we just got off the phone
> with TAC. Hope it helps.
>
>
>
> --
>
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> --
>
> Copyright 2020 Derek Andrew (excluding quotations)
>
> +1 306 966 4808
>
> Communication and Network Services
>
> Information and Communications Technology
>
>
> *University of Saskatchewan *Peterson 120; 54 Innovation Boulevard
> Saskatoon,Saskatchewan,Canada. S7N 2V3
> Timezone GMT-6
>
>
>
> Typed but not read.
>
[Attachment #5 (text/html)]
<div dir="ltr"><div dir="ltr">Yeah, good question. Certificate monitor in cucm (and \
others) is really handy for this, but I've also seen it fail due to a \
defect.<div><br></div><div>I wonder if the one cisco is using in cucm (and others) is \
the #8 one listed in this article:</div><div><a \
href="https://geekflare.com/monitor-ssl-certificate-expiry/">https://geekflare.com/monitor-ssl-certificate-expiry/</a><br></div><div><br></div><div>Either \
way, there's a few other cloud and on-prem solutions mentioned in that \
link.</div></div></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Wed, Jun 3, 2020 at 1:24 PM Pawlowski, Adam <<a \
href="mailto:ajp26@buffalo.edu">ajp26@buffalo.edu</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_2432638614871367499WordSection1">
<p class="MsoNormal">This is the boat we were in as well, and I've learned some \
lessons here. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">The bug that I posted about for Jabber mobile devices got me – \
since we're MRA only I thought I broke it again and it took a while to figure out \
why. The bugs in Expressway <X12.5.7 where replication fails for CPL and the login \
banner got me for a while thinking I'd just broken the cluster due to the \
replication failed alarms. I nearly forgot to reset all the phones after restarting \
TVS but … well fool me once on that one.<u></u><u></u></p> <p \
class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">I learned that the \
Expressway doesn't have any real certificate "monitor", and if you put an EC cert \
from an intermediate into the ipsec-trust keychain you will break that service, it \
will just core endlessly. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">How is everyone keeping track of the certificates that they have \
out there, and that they're coming up due for replacement? Outlook calendars are no \
good, and neither are the notices from the issuing CA. I have to be missing something \
obvious.<u></u><u></u></p> <p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Best,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Adam<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt \
solid rgb(225,225,225);padding:3pt 0in 0in"> <p class="MsoNormal"><b>From:</b> \
cisco-voip <<a href="mailto:cisco-voip-bounces@puck.nether.net" \
target="_blank">cisco-voip-bounces@puck.nether.net</a>> <b>On Behalf Of </b>Derek \
Andrew<br> <b>Sent:</b> Wednesday, June 3, 2020 10:20 AM<br>
<b>To:</b> Anthony Holloway <<a href="mailto:avholloway%2Bcisco-voip@gmail.com" \
target="_blank">avholloway+cisco-voip@gmail.com</a>><br> <b>Cc:</b> voyp list, \
cisco-voip (<a href="mailto:cisco-voip@puck.nether.net" \
target="_blank">cisco-voip@puck.nether.net</a>) <<a \
href="mailto:cisco-voip@puck.nether.net" \
target="_blank">cisco-voip@puck.nether.net</a>><br> <b>Subject:</b> Re: \
[cisco-voip] Resolving Sectigo root expiration affecting MRA<u></u><u></u></p> </div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">If you had previously installed the certs on CUCM CUP CUC and \
CER as we did, they would also have expired.<u></u><u></u></p> </div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Wed, Jun 3, 2020 at 7:34 AM Anthony Holloway <<a \
href="mailto:avholloway%2Bcisco-voip@gmail.com" \
target="_blank">avholloway+cisco-voip@gmail.com</a>> wrote:<u></u><u></u></p> \
</div> <blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt \
solid rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"> \
<div> <div style="border:1pt solid rgb(156,101,0);padding:2pt">
<p class="MsoNormal" style="line-height:12pt;background:rgb(255,235,156)"><span \
style="font-size:10pt;color:rgb(156,101,0)">CAUTION:</span><span \
style="font-size:10pt;color:black"> This email originated from outside of the \
University of Saskatchewan. Do not click links or open attachments unless you \
recognize the sender and know the content is safe. If in doubt, please forward \
suspicious emails to <a href="mailto:phishing@usask.ca" \
target="_blank">phishing@usask.ca</a><u></u><u></u></span></p> </div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<div>
<p class="MsoNormal">Hunter, <u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I might be exposing a gap in my knowledge here, but why did you \
need these certs on CUCM? <u></u><u></u></p> </div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Cisco has now published a troubleshooting guide for this issue, \
and the article does not mention modifying CUCM cert store.<u></u><u></u></p> </div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><a \
href="https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/215561-troubleshooting-expressway-mra-login-and.html" \
target="_blank">https://www.cisco.com/c/en/us/support/docs/unified-communications/expr \
essway/215561-troubleshooting-expressway-mra-login-and.html</a><u></u><u></u></p> \
</div> </div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <<a \
href="mailto:hf0002@uah.edu" target="_blank">hf0002@uah.edu</a>> \
wrote:<u></u><u></u></p> </div>
<blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt \
solid rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"> \
<div> <div>
<p class="MsoNormal">All, <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">If you use certs whose trust is derived from the Sectigo root \
that expired today, and your MRA isn't working, I'll try to save you a call to TAC. \
<u></u><u></u></p> </div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Do all of these things:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"> - Load the new intermediates and root into callmanager-trust \
and tomcat-trust on all your UCMs<u></u><u></u></p> </div>
<div>
<p class="MsoNormal"> - restart tomcat, tftp, and callmanager on those \
boxes<u></u><u></u></p> </div>
<div>
<p class="MsoNormal"> - load the new intermediates and root into the CA trust store \
on all expressways <u></u><u></u></p> </div>
<div>
<p class="MsoNormal"> - reboot the Expressway-Es <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">If you need more detail or help, let me know, we just got off \
the phone with TAC. Hope it helps. <u></u><u></u></p> </div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<p class="MsoNormal">-- <u></u><u></u></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><br>
--<br>
Hunter Fuller (they)<br>
Router Jockey<br>
VBH Annex B-5<br>
+1 256 824 5331<br>
<br>
Office of Information Technology<br>
The University of Alabama in Huntsville<br>
Network Engineering<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" \
target="_blank">cisco-voip@puck.nether.net</a><br> <a \
href="https://puck.nether.net/mailman/listinfo/cisco-voip" \
target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><u></u><u></u></p>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br clear="all">
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <u></u><u></u></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Copyright 2020 Derek Andrew (excluding quotations)<br>
<br>
+1 306 966 4808<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:7.5pt">Communication and Network \
Services</span><u></u><u></u></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:7.5pt">Information and Communications \
Technology</span><u></u><u></u></p> </div>
<div>
<p class="MsoNormal"><b>University of Saskatchewan<br>
</b><span style="font-size:7.5pt">Peterson 120; 54 Innovation Boulevard<br>
Saskatoon,Saskatchewan,Canada. S7N 2V3<br>
Timezone GMT-6</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt">Typed but not read.<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></div>
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic