Solved: Finesse Certificate Error

mightyking · ‎10-02-2019

Hello Experts,

I am having some issues with Finesse certificates when it comes to regenerate, sign and upload them. We have a HA UCCX cluster which we just upgraded from 10.6 to 11.6 few days ago. I have done the entire process using GUI and CLI but there's probably something that I am doing wrong. Couple of questions:

1) When regenerating CSR certs in primary server, do I need to do the same in the secondary?

2) After regenerating the CSR in primary server, do I need to download the .pem from primary and upload it to secondary as Tomcat-Trust?

3) After regenerating the CSR in secondary server, do I need to download the .pem from secondary and upload it to the primary server as Tomcat-Trust?

4) Now that we are at 11.6 version, do we need to go through the regenerate, sign and upload process again for the new version or the certs from 10.6 are still valid?

Thanks,

MK

Anthony Holloway · ‎10-02-2019

Note: "Multi-server (SAN)" certificate is supported for UCCX from 11.6 release onwards. However, the SAN should include UCCX Node-1 and Node-2 only

Source: https://www.cisco.com/c/en/us/support/docs/customer-collaboration/unified-contact-center-express/118855-configure-uccx-00.html

You should have a read through that document.

One last comment, make sure to reboot the entire UCCX server after the certificate work is done. There are like 5-6 services on each server which need restarting, and it's quicker/cleaner to just reboot the entire server. In fact, I'm almost positive that after you upload the new cert, UCCX will tell you to reboot the whole server. I just wanted to throw that out there, because it's been a problem in the past.

View solution in original post

Anthony Holloway · ‎10-02-2019

Note: "Multi-server (SAN)" certificate is supported for UCCX from 11.6 release onwards. However, the SAN should include UCCX Node-1 and Node-2 only

Source: https://www.cisco.com/c/en/us/support/docs/customer-collaboration/unified-contact-center-express/118855-configure-uccx-00.html

You should have a read through that document.

One last comment, make sure to reboot the entire UCCX server after the certificate work is done. There are like 5-6 services on each server which need restarting, and it's quicker/cleaner to just reboot the entire server. In fact, I'm almost positive that after you upload the new cert, UCCX will tell you to reboot the whole server. I just wanted to throw that out there, because it's been a problem in the past.

mightyking · ‎10-07-2019

Hi Anthony,

I believe that I followed the exact same procedure at the begining.

Started over and deleted everything, regenerated CSR, signed and uploaded as mentioned in the documnet you sent me. Restarted the Cisco Finesse Tomcat and Cisco Unified CCX Notification Service. It works fine with Windows10 but not with Windows7.

Do you have any idea why it is not working with Win7? I may need to proceed with a cluster reboot but it is woking with Win10 without a cluster reboot but not with Win7.

Thanks,

Mk

Anthony Holloway · ‎10-07-2019

I don't think the OS has anything to do with it working. If anything it's the difference in the computer's trust store or the browser version.

I'd also recommend rebooting the whole server though, then worry about troubleshooting the differences between PCs.

mightyking · ‎10-10-2019

Hi Anthony,

I regenerated the CSR for both servers in the cluster, uploaded the root certificate as well as the signed certs followed by a cluster reboot but the issue has not been resolved. It works fine with Firefox but not IE. I did some other tests with windows 10 and can confirm that IE 11 works fine with Windows 10. It looks like some other poeple experienced some issues with Finesse 10.6 with IE. See the following link:

https://community.cisco.com/t5/contact-center/uccx-11-6-1-finesse-ie11-issue/td-p/3230911

Attached is the error message we receive.

Thanks,

MK