Re: [cisco-voip] [External] Re: Certificate issue and I am rubbish at certificates. (full disclosure)
Ahh then a successful day as we made one person have a good funny moment. Terry From: Ryan Huff Sent: Wednesday, May 24, 2023 1:08 PM To: Hunter Fuller ; Matthew Loraditch Cc: Terry Oakley ; voip puck Subject: Re: [cisco-voip] [External] Re: Certificate issue and I am rubbish at certificates. (full disclosure) CAUTION: This email is from an external source. Do not click links or open attachments unless you recognize the sender and know the content is safe. Sovereign Citizen. That’s just funny. Thanks, Ryan Huff _ From: cisco-voip mailto:cisco-voip-boun...@puck.nether.net> > on behalf of Hunter Fuller mailto:hf0...@uah.edu> > Sent: Wednesday, May 24, 2023 12:14:27 PM To: Matthew Loraditch mailto:mloradi...@heliontechnologies.com> > Cc: Terry Oakley mailto:terry.oak...@rdpolytech.ca> >; voip puck mailto:cisco-voip@puck.nether.net> > Subject: Re: [cisco-voip] [External] Re: Certificate issue and I am rubbish at certificates. (full disclosure) 2028 is WAY too far in the future. No modern browser trusts a publicly-issued certificate that is valid that far in the future. How did you even get that certificate. If you did a self signed, then that would explain why no browser trusts it. Self signed is the "sovereign citizen" of certificates. You need to get a certificate authority to sign your CSR. https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fknowledge.digicert.com%2Fgeneralinformation%2F2-year_Certificate_Availability.html <https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fknowledge.digicert.com%2Fgeneralinformation%2F2-year_Certificate_Availability.html=05%7C01%7C%7C221aad3424994da2348d08db5c8a3825%7C3aed1c227c31455eb67a279994fffbd6%7C0%7C0%7C638205520956959554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=3ix98FTYVzabBqK8CobMuUjKkfTM3xKNAw2V1eiWbZw%3D=0> =05%7C01%7C%7C33aae16f4f824da959ec08db5c72202d%7C84df9e7fe9f640afb435%7C1%7C0%7C638205417463181216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=F3nhWssXTK3oZj0mDi%2BySMTvinQ2iJcDRiQvQIMOVto%3D=0 -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Wed, May 24, 2023 at 11:01 AM Matthew Loraditch wrote: > > It sounds like something is different between the old and new certs (besides > the dates). As far as clients accessing Unity via a browser, the > callmanager-trust certs are not involved. I’m not even sure they are used at > all on a Unity server. I’ve never touched them. > > > > I would take a look at the old and new certs and make sure the subject and > SAN fields are all the same. There can be a lot of reasons for cert errors > and the errors are all similar and hard to diagnose without access to the > browser throwing the error, but that’s the first thing I would check. > > > > > > > Matthew Loraditch > Sr. Network Engineer > direct: 443.541.1518 > e: mloradi...@heliontechnologies.com > <mailto:mloradi...@heliontechnologies.com> > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F > > <https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F=05%7C01%7C%7C221aad3424994da2348d08db5c8a3825%7C3aed1c227c31455eb67a279994fffbd6%7C0%7C0%7C638205520956959554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=E2ynbFhj23XmhiTgsJyFiq4LWWL0cvvGvcujq%2F8rotQ%3D=0> > > =05%7C01%7C%7C33aae16f4f824da959ec08db5c72202d%7C84df9e7fe9f640afb435%7C1%7C0%7C638205417463181216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=9WGDmNKbNXHrjDes9vllJS%2FN9u4u5uEOOHMOeF4e5xk%3D=0 > > From: cisco-voip <mailto:cisco-voip-boun...@puck.nether.net> > On Behalf Of Terry Oakley > Sent: Wednesday, May 24, 2023 11:35 AM > To: 'voip puck' <mailto:cisco-voip@puck.nether.net> > > Subject: [cisco-voip] Certificate issue and I am rubbish at certificates. > (full disclosure) > > > > [EXTERNAL] > > > > On our Unity Connection server the certificates for Tomcat and Tomcat trust > expired over the weekend, my oversight. I regenerated the certificates and > both are now year 2028 expiry date. But we still get the same error if > someone is trying to access their inbox (https://server/inbox/) (error is > You cannot visit server right now because the website uses HSTS) > > > > I noticed that there is a CallManager-Trust certificate that expired on the > same day as the Tomcat certs. The CallManager-Trust certifica
Re: [cisco-voip] [External] Re: Certificate issue and I am rubbish at certificates. (full disclosure)
Sovereign Citizen. That’s just funny. Thanks, Ryan Huff From: cisco-voip on behalf of Hunter Fuller Sent: Wednesday, May 24, 2023 12:14:27 PM To: Matthew Loraditch Cc: Terry Oakley ; voip puck Subject: Re: [cisco-voip] [External] Re: Certificate issue and I am rubbish at certificates. (full disclosure) 2028 is WAY too far in the future. No modern browser trusts a publicly-issued certificate that is valid that far in the future. How did you even get that certificate. If you did a self signed, then that would explain why no browser trusts it. Self signed is the "sovereign citizen" of certificates. You need to get a certificate authority to sign your CSR. https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fknowledge.digicert.com%2Fgeneralinformation%2F2-year_Certificate_Availability.html=05%7C01%7C%7C33aae16f4f824da959ec08db5c72202d%7C84df9e7fe9f640afb435%7C1%7C0%7C638205417463181216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=F3nhWssXTK3oZj0mDi%2BySMTvinQ2iJcDRiQvQIMOVto%3D=0<https://knowledge.digicert.com/generalinformation/2-year_Certificate_Availability.html> -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Wed, May 24, 2023 at 11:01 AM Matthew Loraditch wrote: > > It sounds like something is different between the old and new certs (besides > the dates). As far as clients accessing Unity via a browser, the > callmanager-trust certs are not involved. I’m not even sure they are used at > all on a Unity server. I’ve never touched them. > > > > I would take a look at the old and new certs and make sure the subject and > SAN fields are all the same. There can be a lot of reasons for cert errors > and the errors are all similar and hard to diagnose without access to the > browser throwing the error, but that’s the first thing I would check. > > > > > > > Matthew Loraditch > Sr. Network Engineer > direct: 443.541.1518 > e: mloradi...@heliontechnologies.com > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.heliontechnologies.com%2F=05%7C01%7C%7C33aae16f4f824da959ec08db5c72202d%7C84df9e7fe9f640afb435%7C1%7C0%7C638205417463181216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=9WGDmNKbNXHrjDes9vllJS%2FN9u4u5uEOOHMOeF4e5xk%3D=0<http://www.heliontechnologies.com/> > > From: cisco-voip On Behalf Of Terry > Oakley > Sent: Wednesday, May 24, 2023 11:35 AM > To: 'voip puck' > Subject: [cisco-voip] Certificate issue and I am rubbish at certificates. > (full disclosure) > > > > [EXTERNAL] > > > > On our Unity Connection server the certificates for Tomcat and Tomcat trust > expired over the weekend, my oversight. I regenerated the certificates and > both are now year 2028 expiry date. But we still get the same error if > someone is trying to access their inbox (https://server/inbox/) (error is > You cannot visit server right now because the website uses HSTS) > > > > I noticed that there is a CallManager-Trust certificate that expired on the > same day as the Tomcat certs. The CallManager-Trust certificate is issued > by the CA (CA signed) but when I go to Generate a CSR I don’t have the option > to choose CallManager-Trust or Trust . I have Tomcat, Tomcat ecdsa or ipsec. > The common name for the expired CallManager-Trust certificate is the > UnityConnection server that users cannot get too. Little confused as to > where this CallManager Trust certificate can be generated from. > > > > > > Thank you > > > > Terry > > > > ___ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip=05%7C01%7C%7C33aae16f4f824da959ec08db5c72202d%7C84df9e7fe9f640afb435%7C1%7C0%7C638205417463181216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=f8O9Ho0327p4Q3Ad%2FqZ5oIF2pwXLbqjow%2F102o0M1IM%3D=0<https://puck.nether.net/mailman/listinfo/cisco-voip> ___ cisco-voip mailing list cisco-voip@puck.nether.net https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip=05%7C01%7C%7C33aae16f4f824da959ec08db5c72202d%7C84df9e7fe9f640afb435%7C1%7C0%7C638205417463181216%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=f8O9Ho0327p4Q3Ad%2FqZ5oIF2pwXLbqjow%2F102o0M1IM%3D=0<https://puck.nether.net/mailman/listinfo/cisco-voip> ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] [External] Re: Certificate issue and I am rubbish at certificates. (full disclosure)
Thank you both and all. The 2028 date was created by the system using the regenerate option on the OS Admin page. Thank you for the knowledge. As I said I am rubbish when it comes to certificates and more importantly understanding them. I assumed (yes you can make the full understanding of assume) that the regenerate would do if from our CA.. I was wrong. Requested replacement certs from our CA and now we are up and running. Thank you again Hunter and Matthew. Terry -Original Message- From: Hunter Fuller Sent: Wednesday, May 24, 2023 10:14 AM To: Matthew Loraditch Cc: Terry Oakley ; voip puck Subject: Re: [External] Re: [cisco-voip] Certificate issue and I am rubbish at certificates. (full disclosure) CAUTION: This email is from an external source. Do not click links or open attachments unless you recognize the sender and know the content is safe. 2028 is WAY too far in the future. No modern browser trusts a publicly-issued certificate that is valid that far in the future. How did you even get that certificate. If you did a self signed, then that would explain why no browser trusts it. Self signed is the "sovereign citizen" of certificates. You need to get a certificate authority to sign your CSR. https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fknowledge.digicert.com%2Fgeneralinformation%2F2-year_Certificate_Availability.html=05%7C01%7C%7Cb20949e6aaf0406524d008db5c7203a3%7C3aed1c227c31455eb67a279994fffbd6%7C0%7C0%7C638205416979707026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=AwkRzZxl5UcvAEG2HNVQr2apUbNBLix7TLvtvdXElvw%3D=0 -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Wed, May 24, 2023 at 11:01 AM Matthew Loraditch wrote: > > It sounds like something is different between the old and new certs (besides > the dates). As far as clients accessing Unity via a browser, the > callmanager-trust certs are not involved. I’m not even sure they are used at > all on a Unity server. I’ve never touched them. > > > > I would take a look at the old and new certs and make sure the subject and > SAN fields are all the same. There can be a lot of reasons for cert errors > and the errors are all similar and hard to diagnose without access to the > browser throwing the error, but that’s the first thing I would check. > > > > > > > Matthew Loraditch > Sr. Network Engineer > direct: 443.541.1518 > e: mloradi...@heliontechnologies.com > https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.h > eliontechnologies.com%2F=05%7C01%7C%7Cb20949e6aaf0406524d008db5c7 > 203a3%7C3aed1c227c31455eb67a279994fffbd6%7C0%7C0%7C638205416979707026% > 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik > 1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=hzIF1p%2FTiES4eG1dNEcoxg8P7 > N5ZwxBCaLKuCHunnjg%3D=0 > > From: cisco-voip On Behalf Of > Terry Oakley > Sent: Wednesday, May 24, 2023 11:35 AM > To: 'voip puck' > Subject: [cisco-voip] Certificate issue and I am rubbish at > certificates. (full disclosure) > > > > [EXTERNAL] > > > > On our Unity Connection server the certificates for Tomcat and Tomcat trust > expired over the weekend, my oversight. I regenerated the certificates and > both are now year 2028 expiry date. But we still get the same error if > someone is trying to access their inbox (https://server/inbox/) (error is > You cannot visit server right now because the website uses HSTS) > > > > I noticed that there is a CallManager-Trust certificate that expired on the > same day as the Tomcat certs. The CallManager-Trust certificate is issued > by the CA (CA signed) but when I go to Generate a CSR I don’t have the option > to choose CallManager-Trust or Trust . I have Tomcat, Tomcat ecdsa or ipsec. > The common name for the expired CallManager-Trust certificate is the > UnityConnection server that users cannot get too. Little confused as to > where this CallManager Trust certificate can be generated from. > > > > > > Thank you > > > > Terry > > > > ___ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck > .nether.net%2Fmailman%2Flistinfo%2Fcisco-voip=05%7C01%7C%7Cb20949 > e6aaf0406524d008db5c7203a3%7C3aed1c227c31455eb67a279994fffbd6%7C0%7C0% > 7C638205416979707026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQI > joiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=VyMn%2 > B4YOn8hvIMsOgdo4kJPwjHobfh5a3wjewqPXLIU%3D=0 smime.p7s Description: S/MIME cryptographic signature ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] [External] Re: Certificate issue and I am rubbish at certificates. (full disclosure)
2028 is WAY too far in the future. No modern browser trusts a publicly-issued certificate that is valid that far in the future. How did you even get that certificate. If you did a self signed, then that would explain why no browser trusts it. Self signed is the "sovereign citizen" of certificates. You need to get a certificate authority to sign your CSR. https://knowledge.digicert.com/generalinformation/2-year_Certificate_Availability.html -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Wed, May 24, 2023 at 11:01 AM Matthew Loraditch wrote: > > It sounds like something is different between the old and new certs (besides > the dates). As far as clients accessing Unity via a browser, the > callmanager-trust certs are not involved. I’m not even sure they are used at > all on a Unity server. I’ve never touched them. > > > > I would take a look at the old and new certs and make sure the subject and > SAN fields are all the same. There can be a lot of reasons for cert errors > and the errors are all similar and hard to diagnose without access to the > browser throwing the error, but that’s the first thing I would check. > > > > > > > Matthew Loraditch > Sr. Network Engineer > direct: 443.541.1518 > e: mloradi...@heliontechnologies.com > www.heliontechnologies.com > > From: cisco-voip On Behalf Of Terry > Oakley > Sent: Wednesday, May 24, 2023 11:35 AM > To: 'voip puck' > Subject: [cisco-voip] Certificate issue and I am rubbish at certificates. > (full disclosure) > > > > [EXTERNAL] > > > > On our Unity Connection server the certificates for Tomcat and Tomcat trust > expired over the weekend, my oversight. I regenerated the certificates and > both are now year 2028 expiry date. But we still get the same error if > someone is trying to access their inbox (https://server/inbox/) (error is > You cannot visit server right now because the website uses HSTS) > > > > I noticed that there is a CallManager-Trust certificate that expired on the > same day as the Tomcat certs. The CallManager-Trust certificate is issued > by the CA (CA signed) but when I go to Generate a CSR I don’t have the option > to choose CallManager-Trust or Trust . I have Tomcat, Tomcat ecdsa or ipsec. > The common name for the expired CallManager-Trust certificate is the > UnityConnection server that users cannot get too. Little confused as to > where this CallManager Trust certificate can be generated from. > > > > > > Thank you > > > > Terry > > > > ___ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip