Yeah, good question. Certificate monitor in cucm (and others) is really handy for this, but I've also seen it fail due to a defect.
I wonder if the one cisco is using in cucm (and others) is the #8 one listed in this article: https://geekflare.com/monitor-ssl-certificate-expiry/ Either way, there's a few other cloud and on-prem solutions mentioned in that link. On Wed, Jun 3, 2020 at 1:24 PM Pawlowski, Adam <[email protected]> wrote: > This is the boat we were in as well, and I’ve learned some lessons here. > > > > The bug that I posted about for Jabber mobile devices got me – since we’re > MRA only I thought I broke it again and it took a while to figure out why. > The bugs in Expressway <X12.5.7 where replication fails for CPL and the > login banner got me for a while thinking I’d just broken the cluster due to > the replication failed alarms. I nearly forgot to reset all the phones > after restarting TVS but … well fool me once on that one. > > > > I learned that the Expressway doesn’t have any real certificate “monitor”, > and if you put an EC cert from an intermediate into the ipsec-trust > keychain you will break that service, it will just core endlessly. > > > > How is everyone keeping track of the certificates that they have out > there, and that they’re coming up due for replacement? Outlook calendars > are no good, and neither are the notices from the issuing CA. I have to be > missing something obvious. > > > > Best, > > > > Adam > > > > *From:* cisco-voip <[email protected]> *On Behalf Of *Derek > Andrew > *Sent:* Wednesday, June 3, 2020 10:20 AM > *To:* Anthony Holloway <[email protected]> > *Cc:* voyp list, cisco-voip ([email protected]) < > [email protected]> > *Subject:* Re: [cisco-voip] Resolving Sectigo root expiration affecting > MRA > > > > If you had previously installed the certs on CUCM CUP CUC and CER as we > did, they would also have expired. > > > > On Wed, Jun 3, 2020 at 7:34 AM Anthony Holloway < > [email protected]> wrote: > > CAUTION: This email originated from outside of the University of > Saskatchewan. Do not click links or open attachments unless you recognize > the sender and know the content is safe. If in doubt, please forward > suspicious emails to [email protected] > > > > Hunter, > > > > I might be exposing a gap in my knowledge here, but why did you need these > certs on CUCM? > > > > Cisco has now published a troubleshooting guide for this issue, and the > article does not mention modifying CUCM cert store. > > > > > https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/215561-troubleshooting-expressway-mra-login-and.html > > > > On Sat, May 30, 2020 at 7:02 PM Hunter Fuller <[email protected]> wrote: > > All, > > > > If you use certs whose trust is derived from the Sectigo root that expired > today, and your MRA isn’t working, I’ll try to save you a call to TAC. > > > > Do all of these things: > > > > - Load the new intermediates and root into callmanager-trust and > tomcat-trust on all your UCMs > > - restart tomcat, tftp, and callmanager on those boxes > > - load the new intermediates and root into the CA trust store on all > expressways > > - reboot the Expressway-Es > > > > If you need more detail or help, let me know, we just got off the phone > with TAC. Hope it helps. > > > > -- > > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > _______________________________________________ > cisco-voip mailing list > [email protected] > https://puck.nether.net/mailman/listinfo/cisco-voip > > > > > -- > > Copyright 2020 Derek Andrew (excluding quotations) > > +1 306 966 4808 > > Communication and Network Services > > Information and Communications Technology > > > *University of Saskatchewan *Peterson 120; 54 Innovation Boulevard > Saskatoon,Saskatchewan,Canada. S7N 2V3 > Timezone GMT-6 > > > > Typed but not read. >
_______________________________________________ cisco-voip mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-voip
