Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Silver

Connection to the Server cannot be established (Certificate Exception)

Hi,

In my Lab I am setting up: 2x CUCM and 2 IMP servers (all 10.5 version)

The new IMP versions are part of the cluster, so each IMP server is a subscriber in CUCM (publisher)

I want to activate the services on the IMP server from the CUCM (Cisco Unified Serviceability: Tools/Service activation)

From the CUCM publisher I can activate the CUCM sub and the FIRST(!) IMP

When I use the drop down (Select Server) and select the second IMP server I get the error: "Connection to the Server cannot be established (Certificate Exception) "

Since this was a lab, I reinstalled everything from scratch, but the same result I can't connect from my CUCM pub to the second IMP

When I execute the comand "show network cluster" everything seems OK. Normally this error is with expired tomcat certificate, but this is a fresh install. the certificates are valid for 5 years!

 

Any idea?

 

Thanks

 

JH

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Red

Hi JH, It sounds like you may

Hi JH,

 

It sounds like you may be hitting this 10.5 bug;

 

Connection to the Server cannot be established (Certificate Exception)
CSCup10995

 

Cheers!

Rob 

12 REPLIES
Hall of Fame Super Red

Hi JH, It sounds like you may

Hi JH,

 

It sounds like you may be hitting this 10.5 bug;

 

Connection to the Server cannot be established (Certificate Exception)
CSCup10995

 

Cheers!

Rob 

Silver

Hi Rob, Thank you, this seems

Hi Rob,

 

Thank you, this seems to be the case.

But it is even weirder, after I posted this discussion, I configured on CUCM (Presence Redundancy Group) and added the second server. Then I had lunch and after I came back I can access the second IMP from the CUCM publisher. After reading the bug, it seems that there is an issue with sync of the databases. Especially this from the bug "But the output of utils dbreplication status shows the replicates are not in sync in various certificate related tables and replicationdynamic table" seems to be the issue.

In this case it finally worked, and the databases were synchronized.

 

Thanks again!

 

Jan

 

I have this issue with CUCM

I have this issue with CUCM 10.5.2 which looks like its not effected by this bug, 1 Pub + 4 Subs. Its not letting me add IM+P servers to the cluster either, im assuming it due to this issue (servers have been added to CUCM) but during the install fails to get passed the network connectivity validation.

I can ping the IMP server from CUCM.

Hi RichardI'm running into

Hi Richard

I'm running into the same issue - Network Connectivity seems to loop but everything is okay (ip in server list, ping okay, DNS okay).

How did you solve this?

Cheers

Martin

New Member

This bug is now internal-only

This bug is now internal-only on Bug Search and I can't see any fix for this.

 

Can anyone assist with troubleshooting steps for this?  We have 2CUCM/2IMP servers.  From either IMP server we cannot view the CUCM PUB from Serviceability.

New Member

Resolved this! I noted one

Resolved this!

 

I noted one the CUCM Publisher that there were 2 ipsec-trust certificates for the same node.... with different cases...

 

By this I mean:

 

cucmpub.mydomain.local

CUCMPUB.mydomain.local

 

I checked on the IM and P nodes, and these only had one of the certificates.  On our CUCM SUB, this had both certificates, and was not having any problems.

 

I downloaded the ipsec-trust certificate from the PUB and uploaded this to both IM and P nodes, restarting Cisco Tomcat (not needed on the Publisher).  This resolved the issue.

New Member

i just had this on a fresh

i just had this on a fresh build of 11.

The CUCM had no IMP related certs in it, and the IMP had no CUCM related certs.

I took the tomcat and ipsec certs from each, uploaded to the other and it worked.  No tomcat restart necessary for me.

Cisco Employee

Absolutely correct carlnewton

Absolutely correct carlnewton, this issue only happens when the tomcat certificates are missing on one server or both. In an ideal situation, subscriber server should have its own tomcat certificate along with the publisher certificate and vice versa. If the tomcat certificate are missing for the other server and if you connect to that sercer, the certificate exception will always appear.

Regards

Deepak

New Member

Hi Deepak,

Hi Deepak,

Thanks for the confirmation.  My post was more to highlight that I experienced this bug in version 11.0 (Even though its a 10.5 bug ID) for anyone who might stumble upon this thread running 11.0

New Member

Resolved! In my case I noted

Resolved!

 

In my case I noted that there had been a hostname case-sensitivity change, and the new ipsec-trust certificates had been propagated to the CUCM SUB, but not the IMP nodes.

 

I downloaded the new ipsec-trust certificate from the PUB and uploaded this to both IMP nodes, restarting the Cisco Tomcat services of the affected servers.

 

This resolved the issue.

New Member

Yep, reimporting the tomcat

Yep, reimporting the tomcat cert (pem) from the server that you cannot connect to did the trick.

New Member

Re: Yep, reimporting the tomcat

Hi, I'm having this issue as well.

 

When I attempt to upload the missing Tomcat cert (PEM), the upload is denied with a red "X" stating "Self-signed certificate."

 

What am I doing wrong here?

10212
Views
5
Helpful
12
Replies
CreatePlease to create content