cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
36941
Views
22
Helpful
14
Replies

Connection to the Server cannot be established (Certificate Exception)

j.huizinga
Level 6
Level 6

Hi,

In my Lab I am setting up: 2x CUCM and 2 IMP servers (all 10.5 version)

The new IMP versions are part of the cluster, so each IMP server is a subscriber in CUCM (publisher)

I want to activate the services on the IMP server from the CUCM (Cisco Unified Serviceability: Tools/Service activation)

From the CUCM publisher I can activate the CUCM sub and the FIRST(!) IMP

When I use the drop down (Select Server) and select the second IMP server I get the error: "Connection to the Server cannot be established (Certificate Exception) "

Since this was a lab, I reinstalled everything from scratch, but the same result I can't connect from my CUCM pub to the second IMP

When I execute the comand "show network cluster" everything seems OK. Normally this error is with expired tomcat certificate, but this is a fresh install. the certificates are valid for 5 years!

 

Any idea?

 

Thanks

 

JH

1 Accepted Solution

Accepted Solutions

Rob Huffman
Hall of Fame
Hall of Fame

Hi JH,

 

It sounds like you may be hitting this 10.5 bug;

 

Connection to the Server cannot be established (Certificate Exception)
CSCup10995

 

Cheers!

Rob 

View solution in original post

14 Replies 14

Rob Huffman
Hall of Fame
Hall of Fame

Hi JH,

 

It sounds like you may be hitting this 10.5 bug;

 

Connection to the Server cannot be established (Certificate Exception)
CSCup10995

 

Cheers!

Rob 

Hi Rob,

 

Thank you, this seems to be the case.

But it is even weirder, after I posted this discussion, I configured on CUCM (Presence Redundancy Group) and added the second server. Then I had lunch and after I came back I can access the second IMP from the CUCM publisher. After reading the bug, it seems that there is an issue with sync of the databases. Especially this from the bug "But the output of utils dbreplication status shows the replicates are not in sync in various certificate related tables and replicationdynamic table" seems to be the issue.

In this case it finally worked, and the databases were synchronized.

 

Thanks again!

 

Jan

 

I have this issue with CUCM 10.5.2 which looks like its not effected by this bug, 1 Pub + 4 Subs. Its not letting me add IM+P servers to the cluster either, im assuming it due to this issue (servers have been added to CUCM) but during the install fails to get passed the network connectivity validation.

I can ping the IMP server from CUCM.

Hi Richard

I'm running into the same issue - Network Connectivity seems to loop but everything is okay (ip in server list, ping okay, DNS okay).

How did you solve this?

Cheers

Martin

This bug is now internal-only on Bug Search and I can't see any fix for this.

 

Can anyone assist with troubleshooting steps for this?  We have 2CUCM/2IMP servers.  From either IMP server we cannot view the CUCM PUB from Serviceability.

Resolved this!

 

I noted one the CUCM Publisher that there were 2 ipsec-trust certificates for the same node.... with different cases...

 

By this I mean:

 

cucmpub.mydomain.local

CUCMPUB.mydomain.local

 

I checked on the IM and P nodes, and these only had one of the certificates.  On our CUCM SUB, this had both certificates, and was not having any problems.

 

I downloaded the ipsec-trust certificate from the PUB and uploaded this to both IM and P nodes, restarting Cisco Tomcat (not needed on the Publisher).  This resolved the issue.

i just had this on a fresh build of 11.

The CUCM had no IMP related certs in it, and the IMP had no CUCM related certs.

I took the tomcat and ipsec certs from each, uploaded to the other and it worked.  No tomcat restart necessary for me.

Absolutely correct carlnewton, this issue only happens when the tomcat certificates are missing on one server or both. In an ideal situation, subscriber server should have its own tomcat certificate along with the publisher certificate and vice versa. If the tomcat certificate are missing for the other server and if you connect to that sercer, the certificate exception will always appear.

Regards

Deepak

Hi Deepak,

Thanks for the confirmation.  My post was more to highlight that I experienced this bug in version 11.0 (Even though its a 10.5 bug ID) for anyone who might stumble upon this thread running 11.0

tks my friend, this procedure solved my problem

Resolved!

 

In my case I noted that there had been a hostname case-sensitivity change, and the new ipsec-trust certificates had been propagated to the CUCM SUB, but not the IMP nodes.

 

I downloaded the new ipsec-trust certificate from the PUB and uploaded this to both IMP nodes, restarting the Cisco Tomcat services of the affected servers.

 

This resolved the issue.

Hi Rob,

 

I have same problem with CUCM 11.5 and there are not IMP&M servers installed.

Could you help me, please?

 

best regards,

Alfredo.

If this helps, do not forget, rate!!

Dilyan Dimov
Level 1
Level 1

Yep, reimporting the tomcat cert (pem) from the server that you cannot connect to did the trick.

Hi, I'm having this issue as well.

 

When I attempt to upload the missing Tomcat cert (PEM), the upload is denied with a red "X" stating "Self-signed certificate."

 

What am I doing wrong here?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: