Jeff,

Jeff Levensailor · ‎12-06-2015

It's kind of rediculous that all phones in a cluster will do a hard reset when you remove a certificate trust.

Anyone else run into this?

In my case it was necessary because the cluster domain name changed. Certificates were required that the customer could actually fulfill.

Deepak Rawat · ‎12-06-2015

Jeff, since your cluster domain name was changed hence this particular defect does not apply for you as it is specific to "when you manually remove the CAPF / CallManager / TVS-trust from CM OSAdmin"

Since you changed the Domain Name hence it generated all the relevant CM certificates along with the associated trust certificates by default causing the devices to reset and hence it is highly recommended that you do this activity in after hours. Output from my lab that even gives this warning as well:

admin:set network domain ccx.cisco.com
          ***   W A R N I N G   ***
Adding/deleting or changing domain name on this server will break
database replication. Once you have completed domain modification
on all systems that you intend to modify, please reboot all the
servers in the cluster. This will ensure that replication keeps
working correctly. After the servers have rebooted, please
confirm that there are no issues reported on the Cisco Unified
Reporting report for Database Replication.

The server will now be rebooted. Do you wish to continue.

Security Warning : This operation will regenerate
       all CUCM Certificates including any third party
       signed Certificates that have been uploaded.

Continue (y/n)?

Regards

Deepak

- Rate Helpful Posts -

Jeff Levensailor · ‎12-06-2015

Deepak,

changing the domain name requires you to reboot all servers, yes, and all certificates are re-generated. the problem is that the old certificates still exist on the cluster. you can delete the ITL file on the phones all you want, but theres no way the ITL can have all those TVS entries.

I called TAC and they suggested stopping the certificate change notification service, which propogates certificates between servers, and delete all the old certificates and trusts with the old domain.

I can say without a doubt, that when you remove a certificate trust from a server, even if it isn't in use, all the phones in the entire cluster do a hard reset, dropping calls and all.

The bug is described as "enhancement" and the workaround says to just perform during a maintenance window, but that doesn't work for any 24/7 areas.

How can you lose a datacenter, maintain connectivity, but lose an -unused- certificate and all phones go down?

Deepak Rawat · ‎12-06-2015

Jeff,

"I can say without a doubt, that when you remove a certificate trust from a server, even if it isn't in use, all the phones in the entire cluster do a hard reset, dropping calls and all."

Above comment that you wrote if it is true and it did happen in your environment as well then definitely it can be further investigated by TAC and this is the whole reason the bug was opened in the first place. Since the bug is still in an Open state I am pretty sure some work on this must be going in the background. You can always contac TAC in order to get the latest update on the defect or set an e-mail alert to yourself by clicking on "Add Notification" section of the bug so that you can get updates whenever there is.

Regards

Deepak

- Rate Helpful Posts -

CSCut58407 Devices shouldn't restart when CAPF / CallManager / TVS-trust is removed