Thanks for the response Jamie

I have replaced all the tomcat / cups/ certs and rebooted everything. I kinda presumed rebooting all the servers in sequence was the same thing.

Keep in mind - a lot of the phones are working perfect.

Could it be that some phones may have been powered off and didn't get the new trust list ?

Also some phones are failing on UCCX services , their tomcat is also now signed by the same local CA

I'll regenerate the TVS cert I think  and follow the procedure closely.

Using this guide - 

https://community.cisco.com/t5/collaboration-voice-and-video/cisco-uc-certificates-renewal-guide/ta-p/4077131

I'll let you know my progress !

Thanks

James

Followed the procedure EXACTLY - so TVS cert replaced across the cluster..restarted the services in the right order and waited till everything was done before moving on. Last but not least - rebooted all devices in the cluster (glup)

Still not working !!

Phone getting error - 

8238 ERR Jun 02 15:07:43.483659 (348-15866) SECUREAPP-No match found in trust list against the item

Getting annoying now..

So just to summarise - the phone loads, gets config - everything works perfect , but when they select the application 'extension mobility) they get 'host not found'

Service setup - XML Service 

with

https://HOSTNAMEGOOD:8443/emapp/EMAppServlet?device=#DEVICENAME#

Thanks

James 

can you remove the old  ITL/CTL by going to security setting on the phone and see if it resolve your issue. if the phone hold old it wont accept the new. 

You can find many contents about how to remove the CTL/ITL on google. 

Nithin

Sorry - this isnt the correct solution

But thanks for responding.

Have you tried this on at least one phone before you wrote it off as not being the solution?

What you describe matches perfectly with phones loosing trust with the CM. This is controlled by two certificates, Callmanager and TVS. This is the reason for why these should never be renewed at the same time. At best there should be a period of a few weeks in between the renewal of these to let the phones get the new certificate.

Roger

Deffo not working - tried the security and factory reset

4790 ERR Jun 09 09:36:02.464823 (344-30586) SECUREAPP-Failed to validate cert using TVS
4791 INF Jun 09 09:36:02.466008 (29822-29950) JAVA-SSL session setup Cert Verification - Certificate validation helper plugin returned.
4792 ERR Jun 09 09:36:02.466063 (29822-29950) JAVA-SSL session setup Cert Verification - Certificate is invalid.
4793 DEB Jun 09 09:36:02.466084 (29822-29950) JAVA-SSL session setup Cert Verification - returning validation result = 0
4794 ERR Jun 09 09:36:02.466472 (29822-29950) JAVA-Sec SSL Connection - Handshake failed.

Please note - I only reset the TVS cert after this fault occurred

Thanks

James 

All services impacted - setup another service and its the same

the old thread isnt relevant

This is 8841 on

.

But thanks

Just an update here - 

This fault it still happening ... its an odd one.

Basically have a Call Manager Certificate update- moved to company issued certs and loaded the root CAs into the trust stores... 

everything works perfect .. EXCEPT extension mobility - about 10-20% of the handsets have this 'host not found' error.

Its NOT an ITL reset. We have two models showing the error 8841 and 7945. You can do an ITL reset on the 7945 and 'security settings reset' on a 8841 - both dont fix the issue. Also tried factory reset.

Folks

Appreciate all the feedback  - one final cluster reset did the trick here. The issue was the CUCM publishers / subscribers need to be reloaded to activate the new certificate TVS configuration. Then the phones needs to be reset in the enterprise settings to pickup that TVS configuration.

The order of the reset & reboots is important. 

Thanks

James