Re: [cisco-voip] Phantom tomcat-trust cert
https://tools.cisco.com/bugsearch/bug/CSCuv75866 On Tue, 6 Oct 2015 2:14 am Brian Meadewrote: > Maybe this? https://tools.cisco.com/bugsearch/bug/CSCun33173 > > Try manually stopping the Cisco Intercluster Sync Agent Service and > deleting the certificate. > > On Sun, Oct 4, 2015 at 10:45 PM, James Andrewartha < > jandrewar...@ccgs.wa.edu.au> wrote: > >> On 02/10/15 02:57, Brian Meade wrote: >> > You can try to download the tomcat.pem from the publisher and manually >> > install it on the presence server as a tomcat-trust. Since the Common >> > Name is the same, it should replace the existing tomcat-trust. >> >> It did replace the existing tomcat-trust, however it still got >> overwritten from the publisher by the cert expiring in 2015. I even >> tried downloading/uploading the cert as .der instead of .pem as that's >> what the expiry email says, but no go. >> >> -- >> James Andrewartha >> Network & Projects Engineer >> Christ Church Grammar School >> Claremont, Western Australia >> Ph. (08) 9442 1757 >> Mob. 0424 160 877 >> > > ___ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Phantom tomcat-trust cert
Maybe this? https://tools.cisco.com/bugsearch/bug/CSCun33173 Try manually stopping the Cisco Intercluster Sync Agent Service and deleting the certificate. On Sun, Oct 4, 2015 at 10:45 PM, James Andrewartha < jandrewar...@ccgs.wa.edu.au> wrote: > On 02/10/15 02:57, Brian Meade wrote: > > You can try to download the tomcat.pem from the publisher and manually > > install it on the presence server as a tomcat-trust. Since the Common > > Name is the same, it should replace the existing tomcat-trust. > > It did replace the existing tomcat-trust, however it still got > overwritten from the publisher by the cert expiring in 2015. I even > tried downloading/uploading the cert as .der instead of .pem as that's > what the expiry email says, but no go. > > -- > James Andrewartha > Network & Projects Engineer > Christ Church Grammar School > Claremont, Western Australia > Ph. (08) 9442 1757 > Mob. 0424 160 877 > ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Phantom tomcat-trust cert
On 02/10/15 02:57, Brian Meade wrote: > You can try to download the tomcat.pem from the publisher and manually > install it on the presence server as a tomcat-trust. Since the Common > Name is the same, it should replace the existing tomcat-trust. It did replace the existing tomcat-trust, however it still got overwritten from the publisher by the cert expiring in 2015. I even tried downloading/uploading the cert as .der instead of .pem as that's what the expiry email says, but no go. -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Phantom tomcat-trust cert
You can try to download the tomcat.pem from the publisher and manually install it on the presence server as a tomcat-trust. Since the Common Name is the same, it should replace the existing tomcat-trust. On Wed, Sep 30, 2015 at 10:19 PM, James Andrewartha < jandrewar...@ccgs.wa.edu.au> wrote: > On 30/09/15 22:29, Brian Meade wrote: > > So if you stop the certificate change notification service on the > > publisher and that presence server then delete the tomcat-trust on the > > presence server, you see it propagate that old tomcat-trust again to the > > presence server after the services are started again? > > Correct, with the exception that there's no certificate change > notification service on the presence server, only an expiry monitor. > > -- > James Andrewartha > Network & Projects Engineer > Christ Church Grammar School > Claremont, Western Australia > Ph. (08) 9442 1757 > Mob. 0424 160 877 > ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Phantom tomcat-trust cert
On 30/09/15 22:29, Brian Meade wrote: > So if you stop the certificate change notification service on the > publisher and that presence server then delete the tomcat-trust on the > presence server, you see it propagate that old tomcat-trust again to the > presence server after the services are started again? Correct, with the exception that there's no certificate change notification service on the presence server, only an expiry monitor. -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Phantom tomcat-trust cert
So if you stop the certificate change notification service on the publisher and that presence server then delete the tomcat-trust on the presence server, you see it propagate that old tomcat-trust again to the presence server after the services are started again? On Wed, Sep 30, 2015 at 12:26 AM, James Andrewartha < jandrewar...@ccgs.wa.edu.au> wrote: > On 15/09/15 22:34, Brian Meade wrote: > > Stop the certificate change notification service on all nodes and then > > delete all the old tomcat-trust certs. You can then restart the service > > and they shouldn't come back. > > This worked for most of them, but there's still one that is propagating > from the publisher to IM for the publisher tomcat-trust: > > On presence, this is the one that comes back if I delete it: > > admin:show cert trust tomcat-trust/callmanager1.voip.ccgs.wa.edu.au.pem > [ > Version: V3 > Serial Number: 39A72D2638CD12B5 > SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5) > Issuer Name: C=AU, ST=Western Australia, L=Queenslea Drive, Claremont, > O=Christ Church Grammar School, OU=ICT Services, > CN=callmanager1.voip.ccgs.wa.edu.au > Validity From: Thu Sep 23 09:49:29 WST 2010 >To: Wed Sep 23 09:49:29 WST 2015 > Subject Name: C=AU, ST=Western Australia, L=Queenslea Drive, > Claremont, O=Christ Church Grammar School, OU=ICT Services, > CN=callmanager1.voip.ccgs.wa.edu.au > > > On callmanager1: > > admin:show cert trust tomcat-trust/callmanager1.voip.ccgs.wa.edu.au.pem > [ > Version: V3 > Serial Number: B231C6ACDB211AEE6C18BDC8700A0EE > SignatureAlgorithm: SHA256withRSA (1.2.840.113549.1.1.11) > Issuer Name: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US > Validity From: Wed Apr 08 08:00:00 WST 2015 >To: Wed Jun 13 20:00:00 WST 2018 > Subject Name: CN=callmanager1.voip.ccgs.wa.edu.au, O=Christ Church > Grammar School, L=Claremont, ST=Western Australia, C=AU > > The new tomcat cert is a SAN cert, so maybe I've hit some sort of bug? > > -- > James Andrewartha > Network & Projects Engineer > Christ Church Grammar School > Claremont, Western Australia > Ph. (08) 9442 1757 > Mob. 0424 160 877 > ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Phantom tomcat-trust cert
On 15/09/15 22:34, Brian Meade wrote: > Stop the certificate change notification service on all nodes and then > delete all the old tomcat-trust certs. You can then restart the service > and they shouldn't come back. This worked for most of them, but there's still one that is propagating from the publisher to IM for the publisher tomcat-trust: On presence, this is the one that comes back if I delete it: admin:show cert trust tomcat-trust/callmanager1.voip.ccgs.wa.edu.au.pem [ Version: V3 Serial Number: 39A72D2638CD12B5 SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5) Issuer Name: C=AU, ST=Western Australia, L=Queenslea Drive, Claremont, O=Christ Church Grammar School, OU=ICT Services, CN=callmanager1.voip.ccgs.wa.edu.au Validity From: Thu Sep 23 09:49:29 WST 2010 To: Wed Sep 23 09:49:29 WST 2015 Subject Name: C=AU, ST=Western Australia, L=Queenslea Drive, Claremont, O=Christ Church Grammar School, OU=ICT Services, CN=callmanager1.voip.ccgs.wa.edu.au On callmanager1: admin:show cert trust tomcat-trust/callmanager1.voip.ccgs.wa.edu.au.pem [ Version: V3 Serial Number: B231C6ACDB211AEE6C18BDC8700A0EE SignatureAlgorithm: SHA256withRSA (1.2.840.113549.1.1.11) Issuer Name: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US Validity From: Wed Apr 08 08:00:00 WST 2015 To: Wed Jun 13 20:00:00 WST 2018 Subject Name: CN=callmanager1.voip.ccgs.wa.edu.au, O=Christ Church Grammar School, L=Claremont, ST=Western Australia, C=AU The new tomcat cert is a SAN cert, so maybe I've hit some sort of bug? -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] Phantom tomcat-trust cert
Stop the certificate change notification service on all nodes and then delete all the old tomcat-trust certs. You can then restart the service and they shouldn't come back. On Tue, Sep 15, 2015 at 1:22 AM, James Andrewartha < jandrewar...@ccgs.wa.edu.au> wrote: > Hi list, > > Our cluster is nearly 5 years old, so I've done the certificate dance, > including using Digicert for the tomcat multi-server cert. However, some > old certs that are about to expire keep appearing as tomcat-trust certs. > I've deleted them several times, but they keep coming back overnight. > Even after I rebooted the cluster out of hours they've come back again. > It's mostly cosmetic, I just keep getting alert emails saying they're > going to expire. Has anyone seen this before? Running 10.5.2. > > Thanks, > > -- > James Andrewartha > Network & Projects Engineer > Christ Church Grammar School > Claremont, Western Australia > Ph. (08) 9442 1757 > Mob. 0424 160 877 > ___ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
[cisco-voip] Phantom tomcat-trust cert
Hi list, Our cluster is nearly 5 years old, so I've done the certificate dance, including using Digicert for the tomcat multi-server cert. However, some old certs that are about to expire keep appearing as tomcat-trust certs. I've deleted them several times, but they keep coming back overnight. Even after I rebooted the cluster out of hours they've come back again. It's mostly cosmetic, I just keep getting alert emails saying they're going to expire. Has anyone seen this before? Running 10.5.2. Thanks, -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip