cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5845
Views
3
Helpful
9
Replies

CSCwc26596 - Unable to upload Signed cert-duplicate of pre-existing

BradMarkel93582
Level 1
Level 1

I ran into this bug recently.  Upgraded a UCM 11.5 cluster to UCM 14 SU2.  The upgrade went smoothly and the certificates migrated normally.  This bug came into play when the tomcat certificate was recycled.

 

The existing tomcat certificate was signed by our internal CA and new certificate is also signed by the same CA.  Following the normal process to generate a CSR went smoothly.  Attempts to install the new certificate failed with the following error:

Cannot import certificate. It is a duplicate of pre-existing certificate 'xxxxx.pem'. both have SubjectName: 'CN=xxxxx' and SerialNo. This certificate exists in tomcat-trust

 

As it turns out bug CSCwc26596 causes the certificate install to fail if the certificate chain Root CA and Intermediate CA begin with the same text up to the first space.

For example:  OrgName Root CA, OrgName Intermediate CA

Both start with "OrgName " in this case.

 

The fix is included in a COP file.


https://www.cisco.com/web/software/286319173/139477/ciscocm.V14-SU2-SU2a_CSCwc26596_C0169-1.k4.cop-Readme_v2.pdf

 

Hope that saves someone else time.

9 Replies 9

Michael.Heimann
Level 1
Level 1

I have this issue with PCD and sadly the cop from the bugfix doesn't install on PCD: "This COP installation is not applicable for ucmap."

Seems like a bug in a patch to me.

I have no solution, only a workaround: reinstall PCD to older version, install the certificate and then update to 14 SU2. 

Have the same issue, COP file did not resolve my issue

Best Regards

johns10t
Level 4
Level 4

I'm seeing this issue in UCCX 12.5 SU3. It looks like bug CSCwf40230 has been created for it.

I'm also seeing something similar in CCX 12.5 SU2 ES04. What was the error you received in the GUI? In our case we are seeing: "java.security.cert.CertPathBuilderException: Could not build a validated path."

Been working with TAC now almost 2 weeks since I frist encountered the issue, this is what has been done and still no luck.

++ Created root account on all the seven nodes .

++ upload the tomcat folder from publisher to sftp server .

++ created backup folder of tomcat with existing data and pasted tomcat folder to all the subscriber nodes from sftp server .

++ tried uploading the certificates again but the issue is still there .

++ deleted root and intermediate certificate from gui that are recently uploaded .

++ installed revert cop file on all the nodes “ciscocm.V14-SU2-SU2a_CSCwc26596_C0169-1_revert.k4.cop.sha512”.

++ then installed cop file again on all the nodes  “ciscocm.V14-SU2-SU2a_CSCwc26596_C0169-1.k4.cop.sha512” .

++ tried uploading the certificates again but the issue is still there .

 

Have another Webex with TAC later today hopefully it will be resolved today.

Best Regards

Hi All, 

We got the certificate issue fixed.

Below is the Webex summary :-

++ Found that root certificate is not present on the cucm.

++ Uploaded the root certificate as tomcat trust and call manger trust but its not present in the cucm base.

++ found old root certificate has same CN “CN = Entrust Root Certification Authority - G2” name which is causing the issue.

++ deleted the old root certificate from call manager trust and tomcat-trust.

++ added new root certificate as tomcat trust and call manager trust.

++ uploaded the CA signed tomcat & call manager certificate.

++ restarted Tomcat services and then updated the CTL file

++ Restarted call manager, CTI manager, TVS, and TFTP from all the nodes.

++ Reset the entire devices and all the phones are registered to the cucm.

Best Regards

jorozco
Level 1
Level 1

I have this issue too,I will open a case with TAC.

The process that was performed by Hermanus is too big for us. 

Save yourself some time and make sure the root certificate that needs to be replaced in the tomcat-trust and call-manager trust is deleted before you upload the new root certificate. then the tomcat and call manager certificate will load no problem.

 

Best Regards

loizosko
Level 1
Level 1

the cop file worked for me.

i only installed it on the node that had issue