We are in the pilot phase of a UC and Jabber for Everyone deployment. We purchased SSL certificates for CUCM, CUC, and CIMP, including 2 certs for XMPP on the CIMP servers with subject alternate names, to get rid of SSL certificate warnings.
We've started testing with the Jabber 9.6 client on Windows, and of course on iOS devices that is all that is available now. Under 9.6 we are seeing warnings for the certificates intermittently:
1. On first login we get certificate warnings, sometimes for a single cert, sometimes for all of them, sometimes just a couple. In each case viewing the details lists the name of the server as it is listed as the subject in the certificate, and it shows it as being a Comodo certificate.
2. Some users (including myself) have seen the warning pop up randomly during the day while the client is up and running. This is very rare, but I've seen it twice on my own test machines.
3. iOS devices on first launch give the certificate error, but rather than showing the DNS name of the server, it shows the IP address for our CUCM server.
All our certificates are purchased via Comodo, and their root and intermediate is in the Windows Trust store in the appropriate places. We use Comodo for all our services, and we never have this issue with our websites, exchange server, etc, etc.
Has anyone else seen this behavior?
I suggest reading through this document and verifying that every step has been completed exactly.
For example, the fact that your servers are configured to address by IPv4 instead of DNS is called out as a problem in the Prevent Identity Mismatch section.
Thanks for your help Jonathan. I followed that document and the only things setup to use just the hostname rather than the FQDN was the CUCM publisher and CUCM subscriber nodes. I updated those, but the iOS issue hasn't resolved yet.
From what I can see all the servers are set to use FQDN, none are set to use only their IP address. But the iOS devices show the IP address in the certificate dialog.
My gut reaction is that it has to do with the TFTP service. In the document you linked to it mentions: TFTP Servers (Application > Cisco Jabber > Settings), however on our CIMP servers (ver 126.96.36.199000-3) that option isn't there. I dug thorugh all the other options in the Application menu and the only ones with TFTP server settings are the Legacy client options and they are already set to use FQDN.
I'm still testing to be sure on the desktop clients, but I think that changing the CUCM servers to FQDN from hostname only fixed that.
I lied. On a fresh install the PC client is still giving those errors also. It is also hitting at the IP addresses. The IP addresses specified are the CUCM servers so I guess it could be for CUCM in general, CTI control, or TFTP.
NOTE: CCO account required for that link.
Intalled the referenced COP file and it seems to have resolved the issue. The COP file is for Collaboration Edge, but we are not using Collaboration Edge at this point and it fixed it for us.
I am running into this issue as well. When doing a fresh install of Jabber, the certificate that is presented is the IP address of my CUCM instead of FQDN. All my settings are FQDN for all my servers.
When you installed the COP file, did you have to reboot the server?
And can anyone answer if this COP file resolves just this issue or other issues as well? I can not seem to find the documentation regarding this file.
When I installed the COP file I had to reboot my cluster. Just the CUCM nodes, not CUC or CIMP. In our case we have a publisher and a subscriber so I had to reboot both. If you have more than one subscriber you will need to reboot them all.
The file and readme is available here:
You may have to click the link on the left for COP files.
Here is an attempt at a direct link to that readme:
There are five items listed as either enhancements or improvements.
Thank you very much for the prompt response, Shawn!
Glad to know I wasn't the only person to encournter this issue and that there's a fix!
I installed the COP file on my Publisher and both subscribers last week and rebooted all nodes. I am now seeing the same certificate errors w/ IPs of the subscribers.
All servers are set as FQDN on CUCM and under User Settings > UC Service, they are also FQDN.
As a followup soon after I installed the COP file the issue returned. We also had some issues around jabber for everyone and ended up upgrading our cluster to version 10 and Jabber client to 9.7.
We've been testing some more and I've had a couple of people report that on first launch they get a certificate warning for our XMPP connection. On our IM & Presence servers we installed certificates that had both the FQDN and just the domain itself as a subject alternate name. This is what is giving the error. If the user clicks either the accept or deny button then they log in and work as normal. Often they don't see the certificate warning again.