Could not establish TLS connection on port 7001 - "unable to get local issuer certificate"
tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Src-ip="10.0.7.168" Src-port="29127" Dst-ip="<Public IP>" Dst-port="7001" Detail="unable to get local issuer certificate" Protocol="TLS" Common-name="ewe.<domainname>.com" Level="1" UTCTime="2014-11-12 12:48:20,071" 2014-11-12T15:48:05+03:00
Getting above error on Expressway-C server while establishing TLS connection with Expressway-E in DMZ. I have enabled static NAT on Expressway-E and give the Public IP on peer address of Expressway-C. At that time, i was getting DNS resolution error on Expressway-C so we added a host record on local DNS for Public IP. Later, I created CSR from both Expressway C & E server and ask local microsoft team to issue Local CA certificates. After uploading, i was getting above error (Failed to establish TLS). Also i have uploaded company (wilcard) Public certificates (issued from Geotrust) and we are getting the samer error and Expressway server could not establish TLS connection on port 7001. Firewall connections are done and i double checked it.
Assuming that the peer address specified on the Exp-C is a FQDN of the Exp-E, does that FQDN exist in the certifcate subject name or SAN of the certificate that was installed on Exp-E? Also, were the root certificates and intermediate certificates (if applicable) or the CA uploaded to the Exp-C/E?
Certificate of Exp-E -> When generating CSR from Exp-E, automatically FQDN (Exp-E(hostname).domainname.com) will be shown. Then this CSR will be send to local CA or Public CA to generate a certificate. OR you meant to say in Exp-E CSR we need to add FQDN of Exp-C server also in alternative name and vice versa too.
Yes, root certificates & intermediate certificates are uploaded to trusted CA.
No FQDN of Exp-C is not required as SAN on Exp-E. Did you put the FQDN of the Exp-C in the Subject verify name under the traversal zone on the Exp-E? Does the cert have client authentication attributes?
Ok, it sounds like you have everything configured but its still complaining about not able to see the issue certificates. If you can post screenshots of the traversal zone/client configurations here, that would be great else you might have to open a TAC to troubleshoot this further. You could also take a packet capture and look at the certificates being presented to make sure you are seeing what is expected.
I was seeing a similar error on my Expressway-E, C deployment. Turned out that I needed to have the public intermediate CA installed before root CA. Once I corrected the order in the Trusted CA certificate store, the UC traversal zone was able to establish a connection between E and C.
I was having the same issue, with GeoTrust cert, then I opened the VCS-E with Firefox, exported all the certificate chain to different pem files accordingly and imported them to the VCS-C. Worked just fine. Somehow I was not able to match the GeoTrust root cert from their website...
IntroductionCUCM Routing RulesDial String implementation PolicyCUCM Routing LogicSIP URI Call Routing Analysis+++ Case Study: 1 ++++++ Case Study: 2 +++Conclusion
Over the last few months, I have had the privilege of working on SI...
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...