cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2445
Views
5
Helpful
7
Replies

Jabber 14 getting invalid and expired cert warning CUPS 12.5

iverson.justin
Level 1
Level 1

Getting invalid and expired cert warnings for CUPS servers. PUB shows expired and SUB shows invalid.  CUP-XMPP & Tomcat have valid enterprise certs, nodes have been both completely restarted. My SUB is new and CUPS sub is still offering the self-signed cert, my PUB is still offering the expired cert from 30 days go. Deleted and uploaded certs plus restarted cluster, still getting errors on Jabber.  TAC is looking but taking bit.  

1 Accepted Solution

Accepted Solutions

iverson.justin
Level 1
Level 1

TAC resolved with root access and had to remove bad cert twice. BUG CSCwa01599

Problem Description

Presence 14.0.1

 

Publisher node seemed to have a known defect (CSCwa01599) but the workaround was applied without success.  The old expired certificate was still being presented.

 

Summary

We thoroughly checked all locations for the certificate including database and file system.  We confirmed that the new certificate was present for all locations mentioned.  however, the problem was a backup copy of the xmpp.pem file located in the same directory of /usr/local/xcp/certs/xmpp/.  This backup file was being presented to jabber even though it was named xmpp.pem_orig, which was the old, expired certificate.  So simply deleting this file from the server followed by the same service restarts for Cisco XCP Connection Manager and Cisco XCP Router resolved the issue.

View solution in original post

7 Replies 7

Thump Rule renew expired certificates and restart the related services.

 

Have you done this ?



Response Signature


Yes, restarted all services several times. Same results. 

Can you please share screenshots from your servers from the certificate management page?



Response Signature


iversonjustin_0-1667363489595.png

Screen shot of cup-xmpp cert, Jabber client is still presenting the self signed IMP cert even though I replaced cup-xmpp with enterprise CA-signed cert.  Getting no where with TAC, they say its bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb89326

Jabber client cert is pulling: 

iversonjustin_1-1667363737415.png

 

Really hard to see anything on the certificate screenshot, will check again from a computer when I get to work. On the bug, if you’re truly hitting that defect TAC should be able to help you with removal of the stuck certificate(s) from their root access. 



Response Signature


Have you restarted the services and server after uploading the CA signed certificates ?

If you are hit with the BUG TAC could be able to Fix it .



Response Signature


iverson.justin
Level 1
Level 1

TAC resolved with root access and had to remove bad cert twice. BUG CSCwa01599

Problem Description

Presence 14.0.1

 

Publisher node seemed to have a known defect (CSCwa01599) but the workaround was applied without success.  The old expired certificate was still being presented.

 

Summary

We thoroughly checked all locations for the certificate including database and file system.  We confirmed that the new certificate was present for all locations mentioned.  however, the problem was a backup copy of the xmpp.pem file located in the same directory of /usr/local/xcp/certs/xmpp/.  This backup file was being presented to jabber even though it was named xmpp.pem_orig, which was the old, expired certificate.  So simply deleting this file from the server followed by the same service restarts for Cisco XCP Connection Manager and Cisco XCP Router resolved the issue.