07-31-2014 10:49 AM - edited 03-19-2019 08:27 AM
Hello Support Community,
i have a strange problem:
after upgrading my cucm and unity connection from 9.1 to 10.5(1) enctrypted calls are no more working.
situation 1: CUCM is down, Subscriber is up: Encrypted call to Unity Connection work correctly
situation 2: CUCM is up: Encrypted Calls to Unity Connection not working.
i get the following Info in the log for the Connection Conversion Manager:
19:35:21.053 |15865,,,MiuGeneral,25,Invalid Certificate: Received Certificate -----BEGIN CERTIFICATE-----
MIID8zCCAtugAwIBAgIQc/fBdUz1Zdh4CXhcPqGVuDANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJERTELMAkGA1UEChMCSVQxGzAZBgNVBAsTEkhlbGxnYXRlIFRl
....
XD0oD9d5MQ==
-----END CERTIFICATE-----
doesn't match with stored Certificate: -----BEGIN CERTIFICATE-----
MIIC2DCCAkGgAwIBAgIIJWCm4bSdt+kwDQYJKoZIhvcNAQEFBQAw
...
-----END CERTIFICATE-----
so where does Unity Connection cache this certificate and how can i delete/replace it?
the cert shown in the logs is the one from cucm: ("CallManager"), i recreated it through cucm os administration, now i see the same error message on unity connection for the new recreated certificate.
04-03-2017 08:29 AM
I'm not a fan of replying to necro-posts, but I've encountered this problem a few times and it caused me a lot of grief figuring out how to fix it.
In the hopes of saving someone else some grief:
This document shows the process of what happens when secure certs are set up between CUC and CUCM.
http://www.cisco.com/c/en/us/support/docs/unified-communications/unity-connection/200504-Configure-and-Troubleshoot-Secure-Integr.html
If you decode the certificates in the MIU SIP Microtraces you can see the certs being compared.
If you look on CUCM in the regular places to find where the certificate originates from, you probably won't see it as it comes from the CUCM CTL.
If you issue a show CTL from the CUCM Publisher you may see the certificate that is listed in the MIU microtrace.
The CTL is retrieved by CUC from CUCM. During the certificate exchange for the SIP Trunk between CUC and CUCM if there is a difference in CUCM certificates the above error results.
If the CUCM certifcates have been regenerated and the cluster is in mixed mode then updating the CTL file on CUCM will update the CTL with the latest certificates.
I had to reboot Unity in order to force it to reload the CTL which resulted in the correct certs being compared and ultimately the TLS SIP trunk coming online.
Brad.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide