date:20211111

Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

2021-11-11 Thread Jonathan Charles

Yes, they will, the Expressway E was designed around an ACME cert and Let's
Encrypt is super free.

Anyway, I think the issue is between the Expressway and CUCM at this
point... escalating to TAc...


Jonathan

On Thu, Nov 11, 2021 at 4:49 PM Brian V  wrote:

> WIll the phones trust a LetsEncrypt cert ?
> Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root CA
> certs on a regular basis
> The trusted certs in the phone have to be placed there in the software by
> Cisco.
> This might be a situation where newer code on a phone is required if the
> trusted Root CA (or chain) for Lets Encrypt is missing on the phone.
>
> On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff  wrote:
>
>> I wouldn’t put a lot of weight in the status on the phone with the TLS
>> error, I’ve seen that with working phones. Do you have the phone MRA domain
>> set? We have a separate device pool for MRA devices so it can set the time
>> from external ntp sources. If the time on the phone is off, the crypto
>> can fail as well.
>>
>>
>>
>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>
>>
>>
>> *Office: 914-460-4039*
>>
>> *mh...@ox.com  | **www.ox.com *
>>
>>
>> *...*
>>
>>
>>
>> *From:* Jonathan Charles 
>> *Sent:* Thursday, November 11, 2021 11:50 AM
>> *To:* Matthew Huff 
>> *Cc:* Brian Meade ; cisco-voip voyp list <
>> cisco-voip@puck.nether.net>
>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
>> trust list?
>>
>>
>>
>> It is running 12.8... it has been locally reg'd before...
>>
>>
>>
>> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff  wrote:
>>
>> In the lab, have you tried setting up the phone without MRA and get the
>> firmware uploaded first? Depending on how old the firmware is, you may have
>> issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>>
>>
>>
>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>
>>
>>
>> *Office: 914-460-4039*
>>
>> *mh...@ox.com  | **www.ox.com *
>>
>>
>> *...*
>>
>>
>>
>> *From:* cisco-voip  *On Behalf Of 
>> *Jonathan
>> Charles
>> *Sent:* Thursday, November 11, 2021 11:10 AM
>> *To:* Brian Meade 
>> *Cc:* cisco-voip voyp list 
>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
>> trust list?
>>
>>
>>
>> On the phone, we see TLS connection failed... the E's cert is signed by
>> Let's Encrypt...
>>
>>
>>
>> On the Expressway E we see some certificate exchange and then resets in
>> the connection...
>>
>>
>>
>> MRA works fine for Jabber just 8845 Activation Code onboarding is
>> failing...
>>
>>
>>
>>
>>
>> Jonathan
>>
>>
>>
>> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade  wrote:
>>
>> What's the console logs show?
>>
>>
>>
>> The Expressway needs to be signed by one of the trusted CAs listed that
>> are part of the phone firmware.
>>
>>
>>
>> The Expressway cert authenticates the phone with the MIC.
>>
>>
>>
>> Do you have activation code onboarding enabled under the MRA config on
>> the Expressway-C?
>>
>>
>>
>> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles  wrote:
>>
>> So, I set up activation code MRA for an 8845 (lab first)...
>>
>>
>>
>> Cloud onboarding worked, got an activation code, tried it out...
>>
>>
>>
>> Phone kicks back 'check internet connectivtity' and on the status on the
>> phone says:
>>
>>
>>
>> GDS Handshake Succeeded
>>
>> A TLS connection failed...
>>
>>
>>
>> GDS is Cisco's cloud onboarding thingy I am assuming it didn't like
>> the TLS connection the expressway, but I don't see anything in the
>> Expressway logs...
>>
>>
>>
>> There is a bug and it says we need to load a Hydrant cert back into the
>> trust store...
>>
>> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>>
>>
>>
>> But where do we need to load it? Tomcat Trust? On the Expressways? The
>> bug doesn't say... it needs to be pushed to the phone's trust list, how do
>> you do that?
>>
>>
>>
>>
>>
>> Thanks!
>>
>>
>>
>> Jonathan
>>
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

2021-11-11 Thread Brian V

Part of the workaround referenced in the Bug doesn't make sense.  They
reference adding some GoDaddy certs,  but when you look at the URL they
reference (*.wbx2.com) that is signed by Hydrant not Go Daddy.
See images below
[image: image.png]

[image: image.png]

On Thu, Nov 11, 2021 at 3:48 PM Lelio Fulgenzi  wrote:

> Ok. This all points to desktops not accepting root certificate updates
> from what I can tell.
>
> I just checked with my contact and ask about this on our site and he said
> there is no blocking of root certs being downloaded.
>
> I'm going to guess then that I'm ok.
>
> I mean, I haven't heard anything yet either, so that's a good sign.
>
> This can only get better when we move to 30 day certs, right?
>
> ACME for the WIN
>
> -Original Message-
> From: cisco-voip  On Behalf Of
> NateCCIE
> Sent: Thursday, November 11, 2021 4:26 PM
> To: 'Gary Parker' ; 'Johnson, Tim' <
> johns...@cmich.edu>
> Cc: cisco-voip@puck.nether.net
> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex
> Cert
>
> CAUTION: This email originated from outside of the University of Guelph.
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe. If in doubt, forward suspicious emails to
> ith...@uoguelph.ca
>
>
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq73203
>
> -Original Message-
> From: cisco-voip  On Behalf Of Gary
> Parker
> Sent: Thursday, November 11, 2021 1:45 PM
> To: Johnson, Tim 
> Cc: cisco-voip@puck.nether.net
> Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex
> Cert
>
> Quick follow-up: I’ve heard from another site (off-list) suffering this
> now, too.
>
> Gary
>
> > On 11 Nov 2021, at 16:13, Gary Parker  wrote:
> >
> > Thanks Tim, likewise: glad it’s not just us!
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

2021-11-11 Thread Brian V

WIll the phones trust a LetsEncrypt cert ?
Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root CA
certs on a regular basis
The trusted certs in the phone have to be placed there in the software by
Cisco.
This might be a situation where newer code on a phone is required if the
trusted Root CA (or chain) for Lets Encrypt is missing on the phone.

On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff  wrote:

> I wouldn’t put a lot of weight in the status on the phone with the TLS
> error, I’ve seen that with working phones. Do you have the phone MRA domain
> set? We have a separate device pool for MRA devices so it can set the time
> from external ntp sources. If the time on the phone is off, the crypto
> can fail as well.
>
>
>
> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>
>
>
> *Office: 914-460-4039*
>
> *mh...@ox.com  | **www.ox.com *
>
>
> *...*
>
>
>
> *From:* Jonathan Charles 
> *Sent:* Thursday, November 11, 2021 11:50 AM
> *To:* Matthew Huff 
> *Cc:* Brian Meade ; cisco-voip voyp list <
> cisco-voip@puck.nether.net>
> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
> trust list?
>
>
>
> It is running 12.8... it has been locally reg'd before...
>
>
>
> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff  wrote:
>
> In the lab, have you tried setting up the phone without MRA and get the
> firmware uploaded first? Depending on how old the firmware is, you may have
> issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>
>
>
> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>
>
>
> *Office: 914-460-4039*
>
> *mh...@ox.com  | **www.ox.com *
>
>
> *...*
>
>
>
> *From:* cisco-voip  *On Behalf Of 
> *Jonathan
> Charles
> *Sent:* Thursday, November 11, 2021 11:10 AM
> *To:* Brian Meade 
> *Cc:* cisco-voip voyp list 
> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
> trust list?
>
>
>
> On the phone, we see TLS connection failed... the E's cert is signed by
> Let's Encrypt...
>
>
>
> On the Expressway E we see some certificate exchange and then resets in
> the connection...
>
>
>
> MRA works fine for Jabber just 8845 Activation Code onboarding is
> failing...
>
>
>
>
>
> Jonathan
>
>
>
> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade  wrote:
>
> What's the console logs show?
>
>
>
> The Expressway needs to be signed by one of the trusted CAs listed that
> are part of the phone firmware.
>
>
>
> The Expressway cert authenticates the phone with the MIC.
>
>
>
> Do you have activation code onboarding enabled under the MRA config on the
> Expressway-C?
>
>
>
> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles  wrote:
>
> So, I set up activation code MRA for an 8845 (lab first)...
>
>
>
> Cloud onboarding worked, got an activation code, tried it out...
>
>
>
> Phone kicks back 'check internet connectivtity' and on the status on the
> phone says:
>
>
>
> GDS Handshake Succeeded
>
> A TLS connection failed...
>
>
>
> GDS is Cisco's cloud onboarding thingy I am assuming it didn't like
> the TLS connection the expressway, but I don't see anything in the
> Expressway logs...
>
>
>
> There is a bug and it says we need to load a Hydrant cert back into the
> trust store...
>
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>
>
>
> But where do we need to load it? Tomcat Trust? On the Expressways? The bug
> doesn't say... it needs to be pushed to the phone's trust list, how do you
> do that?
>
>
>
>
>
> Thanks!
>
>
>
> Jonathan
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

2021-11-11 Thread Lelio Fulgenzi

Ok. This all points to desktops not accepting root certificate updates from 
what I can tell.

I just checked with my contact and ask about this on our site and he said there 
is no blocking of root certs being downloaded.

I'm going to guess then that I'm ok. 

I mean, I haven't heard anything yet either, so that's a good sign.

This can only get better when we move to 30 day certs, right?

ACME for the WIN

-Original Message-
From: cisco-voip  On Behalf Of NateCCIE
Sent: Thursday, November 11, 2021 4:26 PM
To: 'Gary Parker' ; 'Johnson, Tim' 
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

CAUTION: This email originated from outside of the University of Guelph. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq73203

-Original Message-
From: cisco-voip  On Behalf Of Gary Parker
Sent: Thursday, November 11, 2021 1:45 PM
To: Johnson, Tim 
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

Quick follow-up: I’ve heard from another site (off-list) suffering this now, 
too. 

Gary

> On 11 Nov 2021, at 16:13, Gary Parker  wrote:
> 
> Thanks Tim, likewise: glad it’s not just us!
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

2021-11-11 Thread NateCCIE

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq73203

-Original Message-
From: cisco-voip  On Behalf Of Gary Parker
Sent: Thursday, November 11, 2021 1:45 PM
To: Johnson, Tim 
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

Quick follow-up: I’ve heard from another site (off-list) suffering this now, 
too. 

Gary

> On 11 Nov 2021, at 16:13, Gary Parker  wrote:
> 
> Thanks Tim, likewise: glad it’s not just us!
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

2021-11-11 Thread Gary Parker

Quick follow-up: I’ve heard from another site (off-list) suffering this now, 
too. 

Gary

> On 11 Nov 2021, at 16:13, Gary Parker  wrote:
> 
> Thanks Tim, likewise: glad it’s not just us!
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

2021-11-11 Thread Matthew Huff

I wouldn’t put a lot of weight in the status on the phone with the TLS error, 
I’ve seen that with working phones. Do you have the phone MRA domain set? We 
have a separate device pool for MRA devices so it can set the time from 
external ntp sources. If the time on the phone is off, the crypto can fail as 
well.

Matthew Huff | Director of Technical Operations | OTA Management LLC

Office: 914-460-4039
mh...@ox.com | www.ox.com
...

From: Jonathan Charles 
Sent: Thursday, November 11, 2021 11:50 AM
To: Matthew Huff 
Cc: Brian Meade ; cisco-voip voyp list 

Subject: Re: [cisco-voip] MRA Onboarding via activation code... phone trust 
list?

It is running 12.8... it has been locally reg'd before...

On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff 
mailto:mh...@ox.com>> wrote:
In the lab, have you tried setting up the phone without MRA and get the 
firmware uploaded first? Depending on how old the firmware is, you may have 
issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.

Matthew Huff | Director of Technical Operations | OTA Management LLC

Office: 914-460-4039
mh...@ox.com | www.ox.com
...

From: cisco-voip 
mailto:cisco-voip-boun...@puck.nether.net>> 
On Behalf Of Jonathan Charles
Sent: Thursday, November 11, 2021 11:10 AM
To: Brian Meade mailto:bmead...@vt.edu>>
Cc: cisco-voip voyp list 
mailto:cisco-voip@puck.nether.net>>
Subject: Re: [cisco-voip] MRA Onboarding via activation code... phone trust 
list?

On the phone, we see TLS connection failed... the E's cert is signed by Let's 
Encrypt...

On the Expressway E we see some certificate exchange and then resets in the 
connection...

MRA works fine for Jabber just 8845 Activation Code onboarding is failing...


Jonathan

On Tue, Nov 9, 2021 at 5:57 PM Brian Meade 
mailto:bmead...@vt.edu>> wrote:
What's the console logs show?

The Expressway needs to be signed by one of the trusted CAs listed that are 
part of the phone firmware.

The Expressway cert authenticates the phone with the MIC.

Do you have activation code onboarding enabled under the MRA config on the 
Expressway-C?

On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles 
mailto:jonv...@gmail.com>> wrote:
So, I set up activation code MRA for an 8845 (lab first)...

Cloud onboarding worked, got an activation code, tried it out...

Phone kicks back 'check internet connectivtity' and on the status on the phone 
says:

GDS Handshake Succeeded
A TLS connection failed...

GDS is Cisco's cloud onboarding thingy I am assuming it didn't like the TLS 
connection the expressway, but I don't see anything in the Expressway logs...

There is a bug and it says we need to load a Hydrant cert back into the trust 
store...
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred

But where do we need to load it? Tomcat Trust? On the Expressways? The bug 
doesn't say... it needs to be pushed to the phone's trust list, how do you do 
that?


Thanks!

Jonathan
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

2021-11-11 Thread Jonathan Charles

It is running 12.8... it has been locally reg'd before...

On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff  wrote:

> In the lab, have you tried setting up the phone without MRA and get the
> firmware uploaded first? Depending on how old the firmware is, you may have
> issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>
>
>
> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>
>
>
> *Office: 914-460-4039*
>
> *mh...@ox.com  | **www.ox.com *
>
>
> *...*
>
>
>
> *From:* cisco-voip  *On Behalf Of 
> *Jonathan
> Charles
> *Sent:* Thursday, November 11, 2021 11:10 AM
> *To:* Brian Meade 
> *Cc:* cisco-voip voyp list 
> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
> trust list?
>
>
>
> On the phone, we see TLS connection failed... the E's cert is signed by
> Let's Encrypt...
>
>
>
> On the Expressway E we see some certificate exchange and then resets in
> the connection...
>
>
>
> MRA works fine for Jabber just 8845 Activation Code onboarding is
> failing...
>
>
>
>
>
> Jonathan
>
>
>
> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade  wrote:
>
> What's the console logs show?
>
>
>
> The Expressway needs to be signed by one of the trusted CAs listed that
> are part of the phone firmware.
>
>
>
> The Expressway cert authenticates the phone with the MIC.
>
>
>
> Do you have activation code onboarding enabled under the MRA config on the
> Expressway-C?
>
>
>
> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles  wrote:
>
> So, I set up activation code MRA for an 8845 (lab first)...
>
>
>
> Cloud onboarding worked, got an activation code, tried it out...
>
>
>
> Phone kicks back 'check internet connectivtity' and on the status on the
> phone says:
>
>
>
> GDS Handshake Succeeded
>
> A TLS connection failed...
>
>
>
> GDS is Cisco's cloud onboarding thingy I am assuming it didn't like
> the TLS connection the expressway, but I don't see anything in the
> Expressway logs...
>
>
>
> There is a bug and it says we need to load a Hydrant cert back into the
> trust store...
>
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>
>
>
> But where do we need to load it? Tomcat Trust? On the Expressways? The bug
> doesn't say... it needs to be pushed to the phone's trust list, how do you
> do that?
>
>
>
>
>
> Thanks!
>
>
>
> Jonathan
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

2021-11-11 Thread Matthew Huff

In the lab, have you tried setting up the phone without MRA and get the 
firmware uploaded first? Depending on how old the firmware is, you may have 
issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.

Matthew Huff | Director of Technical Operations | OTA Management LLC

Office: 914-460-4039
mh...@ox.com | www.ox.com
...

From: cisco-voip  On Behalf Of Jonathan 
Charles
Sent: Thursday, November 11, 2021 11:10 AM
To: Brian Meade 
Cc: cisco-voip voyp list 
Subject: Re: [cisco-voip] MRA Onboarding via activation code... phone trust 
list?

On the phone, we see TLS connection failed... the E's cert is signed by Let's 
Encrypt...

On the Expressway E we see some certificate exchange and then resets in the 
connection...

MRA works fine for Jabber just 8845 Activation Code onboarding is failing...


Jonathan

On Tue, Nov 9, 2021 at 5:57 PM Brian Meade 
mailto:bmead...@vt.edu>> wrote:
What's the console logs show?

The Expressway needs to be signed by one of the trusted CAs listed that are 
part of the phone firmware.

The Expressway cert authenticates the phone with the MIC.

Do you have activation code onboarding enabled under the MRA config on the 
Expressway-C?

On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles 
mailto:jonv...@gmail.com>> wrote:
So, I set up activation code MRA for an 8845 (lab first)...

Cloud onboarding worked, got an activation code, tried it out...

Phone kicks back 'check internet connectivtity' and on the status on the phone 
says:

GDS Handshake Succeeded
A TLS connection failed...

GDS is Cisco's cloud onboarding thingy I am assuming it didn't like the TLS 
connection the expressway, but I don't see anything in the Expressway logs...

There is a bug and it says we need to load a Hydrant cert back into the trust 
store...
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred

But where do we need to load it? Tomcat Trust? On the Expressways? The bug 
doesn't say... it needs to be pushed to the phone's trust list, how do you do 
that?


Thanks!

Jonathan
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

2021-11-11 Thread Gary Parker

Thanks Tim, likewise: glad it’s not just us!

I’m loathe to advise users to accept a certificate that’s flagged as bad for 
some reason, as that’s just bad security practice.

As I mentioned earlier, I’ve added:

WEBEX

...to our jabber-config.xml, and we’re advising users to reset their Jabber 
client to apply it, but that’s bound to upset a few who’ll lose their chat 
history and contacts.

Gary

> On 11 Nov 2021, at 15:30, Johnson, Tim  wrote:
> 
> I’ve heard from my help desk that they had a few users report the prompt for 
> accepting a cert. Unfortunately, they gathered zero details for me and just 
> had the users accept the cert…
>  
> Good to know it’s not just us though. 

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Jabber Users Prompted To Accept Webex Cert

2021-11-11 Thread Gary Parker

Thanks Jason, I was aware of FN 72120 and figured that this may be associated 
(but not the cause); I guess Cisco have replaced a load of certs.

However:

- FN 72120 only relates to Android and iOS clients using push notifications, 
we’re only seeing this behaviour on Windows clients

- these clients are connecting to on-prem services, either directly or via 
expressway/MRA with EXCLUDED_SERVICES=WEBEX declared at install. The clients 
should not be attempting to contact Webex servers

- we’ve checked a number of clients and all have the correct IdenTrust root CA 
present (checked serial numbers)

- viewing the offered certificate within Jabber shows root, intermediate and 
server all okay

- browsing to https://idbroker.webex.com and examining the certificate shows 
the same, it’s only the Jabber application that rejects the certificate

Gary 

> On 11 Nov 2021, at 15:12, Jason Aarons (Americas)  
> wrote:
> 
> Webex clients update switched from the Quovadis Root CA which was older and 
> being retired, to the IdenTrust Root CA which it dates back to 2014. The 
> IdenTrust Root CA certificate is contained within the default trust store of 
> all major operating systems by default.
>  
> Not clear why IdenTrust is missing on your computers.
>  
> Guessing maybe you disabled automatic root updates at some point or don’t 
> have Windows updates running ? 
> https://serverfault.com/questions/752146/why-are-many-admins-using-turn-off-automatic-root-certificates-update-policy
>  
> Cisco Field Notice we didn’t notice
> https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72120.html

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

2021-11-11 Thread Jonathan Charles

On the phone, we see TLS connection failed... the E's cert is signed by
Let's Encrypt...

On the Expressway E we see some certificate exchange and then resets in the
connection...

MRA works fine for Jabber just 8845 Activation Code onboarding is
failing...


Jonathan

On Tue, Nov 9, 2021 at 5:57 PM Brian Meade  wrote:

> What's the console logs show?
>
> The Expressway needs to be signed by one of the trusted CAs listed that
> are part of the phone firmware.
>
> The Expressway cert authenticates the phone with the MIC.
>
> Do you have activation code onboarding enabled under the MRA config on the
> Expressway-C?
>
> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles  wrote:
>
>> So, I set up activation code MRA for an 8845 (lab first)...
>>
>> Cloud onboarding worked, got an activation code, tried it out...
>>
>> Phone kicks back 'check internet connectivtity' and on the status on the
>> phone says:
>>
>> GDS Handshake Succeeded
>> A TLS connection failed...
>>
>> GDS is Cisco's cloud onboarding thingy I am assuming it didn't like
>> the TLS connection the expressway, but I don't see anything in the
>> Expressway logs...
>>
>> There is a bug and it says we need to load a Hydrant cert back into the
>> trust store...
>> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>>
>> But where do we need to load it? Tomcat Trust? On the Expressways? The
>> bug doesn't say... it needs to be pushed to the phone's trust list, how do
>> you do that?
>>
>>
>> Thanks!
>>
>> Jonathan
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] [External] Re: Jabber Users Prompted To Accept Webex Cert

2021-11-11 Thread Johnson, Tim

I’ve heard from my help desk that they had a few users report the prompt for 
accepting a cert. Unfortunately, they gathered zero details for me and just had 
the users accept the cert…

Good to know it’s not just us though.

From: cisco-voip  On Behalf Of Jason Aarons
Sent: Thursday, November 11, 2021 10:17 AM
To: Gary Parker 
Cc: cisco-voip@puck.nether.net
Subject: [External] Re: [cisco-voip] Jabber Users Prompted To Accept Webex Cert

Webex clients update switched from the Quovadis Root CA which was older and 
being retired, to the IdenTrust Root CA which it dates back to 2014. The 
IdenTrust Root CA certificate is contained within the default trust store of 
all major operating systems by default.

Not clear why IdenTrust is missing on your computers.

Guessing maybe you disabled automatic root updates at some point or don’t have 
Windows updates running ? 
https://serverfault.com/questions/752146/why-are-many-admins-using-turn-off-automatic-root-certificates-update-policy

Cisco Field Notice we didn’t notice
https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72120.html

On Thu, Nov 11, 2021 at 6:22 AM Gary Parker 
mailto:g.j.par...@lboro.ac.uk>> wrote:
Morning all, a few years back we had a problem where lots of our managed 
Windows service users were complaining that their Jabber clients had started 
rejecting a certificate offered by idbroker.webex.com

This thread on community.cisco.com 
(https://community.cisco.com/t5/unified-communications/jabber-idbroker-webex-com-certificate-request-during-the-first/td-p/3216376)
 showed we weren’t the only ones, but that it seemed limited to managed clients.

We solved this by adding the EXCLUDED_SERVICES=WEBEX flag to the installer on 
our managed clients.

Fast forward to today and we suddenly have a load of service desk cases from 
users again. Nothing has changed in our configuration of Jabber client, IM 
servers or expressways. The clients haven’t been updated recently, and this 
time we’re also seeing the “Certificate not valid” pop-up on unmanaged Windows 
machines as well as our managed service. The cert that’s being rejected has 
validity start date of late September, so it doesn’t appear to be a cert that’s 
only just been brought into use.

Is anyone else seeing this today?

As a workaround I’ve added:

WEBEX

...to our jabber-config.xml, but that will require users to manually reset 
their clients. Not sure why I hadn’t done earlier ¯\_(ツ)_/¯
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Jabber Users Prompted To Accept Webex Cert

2021-11-11 Thread Jason Aarons

Webex clients update switched from the Quovadis Root CA which was older and
being retired, to the IdenTrust Root CA which it dates back to 2014. The
IdenTrust Root CA certificate is contained within the default trust store
of all major operating systems by default.



Not clear why IdenTrust is missing on your computers.



Guessing maybe you disabled automatic root updates at some point or don’t
have Windows updates running ?
https://serverfault.com/questions/752146/why-are-many-admins-using-turn-off-automatic-root-certificates-update-policy



Cisco Field Notice we didn’t notice

https://www.cisco.com/c/en/us/support/docs/field-notices/721/fn72120.html

On Thu, Nov 11, 2021 at 6:22 AM Gary Parker  wrote:

> Morning all, a few years back we had a problem where lots of our managed
> Windows service users were complaining that their Jabber clients had
> started rejecting a certificate offered by idbroker.webex.com
>
> This thread on community.cisco.com (
> https://community.cisco.com/t5/unified-communications/jabber-idbroker-webex-com-certificate-request-during-the-first/td-p/3216376)
> showed we weren’t the only ones, but that it seemed limited to managed
> clients.
>
> We solved this by adding the EXCLUDED_SERVICES=WEBEX flag to the installer
> on our managed clients.
>
> Fast forward to today and we suddenly have a load of service desk cases
> from users again. Nothing has changed in our configuration of Jabber
> client, IM servers or expressways. The clients haven’t been updated
> recently, and this time we’re also seeing the “Certificate not valid”
> pop-up on unmanaged Windows machines as well as our managed service. The
> cert that’s being rejected has validity start date of late September, so it
> doesn’t appear to be a cert that’s only just been brought into use.
>
> Is anyone else seeing this today?
>
> As a workaround I’ve added:
>
> WEBEX
>
> ...to our jabber-config.xml, but that will require users to manually reset
> their clients. Not sure why I hadn’t done earlier ¯\_(ツ)_/¯
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

[cisco-voip] Jabber Users Prompted To Accept Webex Cert

2021-11-11 Thread Gary Parker

Morning all, a few years back we had a problem where lots of our managed 
Windows service users were complaining that their Jabber clients had started 
rejecting a certificate offered by idbroker.webex.com

This thread on community.cisco.com 
(https://community.cisco.com/t5/unified-communications/jabber-idbroker-webex-com-certificate-request-during-the-first/td-p/3216376)
 showed we weren’t the only ones, but that it seemed limited to managed clients.

We solved this by adding the EXCLUDED_SERVICES=WEBEX flag to the installer on 
our managed clients.

Fast forward to today and we suddenly have a load of service desk cases from 
users again. Nothing has changed in our configuration of Jabber client, IM 
servers or expressways. The clients haven’t been updated recently, and this 
time we’re also seeing the “Certificate not valid” pop-up on unmanaged Windows 
machines as well as our managed service. The cert that’s being rejected has 
validity start date of late September, so it doesn’t appear to be a cert that’s 
only just been brought into use.

Is anyone else seeing this today?

As a workaround I’ve added:

WEBEX

...to our jabber-config.xml, but that will require users to manually reset 
their clients. Not sure why I hadn’t done earlier ¯\_(ツ)_/¯ 
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

Re: [cisco-voip] [External] Jabber Users Prompted To Accept Webex Cert

Re: [cisco-voip] Jabber Users Prompted To Accept Webex Cert

Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

Re: [cisco-voip] [External] Re: Jabber Users Prompted To Accept Webex Cert

Re: [cisco-voip] Jabber Users Prompted To Accept Webex Cert

[cisco-voip] Jabber Users Prompted To Accept Webex Cert

15 matches

Site Navigation

Mail list logo

Footer information