09-29-2019 07:20 PM - edited 10-01-2019 08:01 PM
Is regeneration of CAPF and re-sign by CA needed after changing CUCM to mixed mode, if previously LSC is installed during non-secure mode?
1. Phones were previously signed with CA signed LSC and had 802.1x enabled for NAC. CUCM v12.5 was in non secured mode.
2. Customer requires encryption on the phones thus we have converted the CUCM v12.5 to mixed mode
3. Phones are not able to register after we applied the secure sip profile. NAC is working as phone is still getting IP but just cannot register to CUCM. If we delete the LSC from the phone, the phone can register using secure profile.
Phone (with LSC) getting the below error.
7851 ERR Sep 23 15:01:20.320158 (348:2292) SECUREAPP-Secure Connection Handshake failed.
7852 NOT Sep 23 15:01:20.322478 (348:2292) SECUREAPP-Close and free connection handler at 0x2a1c63b0
7853 NOT Sep 23 15:01:20.323210 (348:2292) SECUREAPP-Sec SSL Close Connection successful.
7854 ERR Sep 23 15:01:20.323699 (348:2292) SECUREAPP-PXY_SSL_CLNT: SSL CLNT ERR, srvr[10.178.23.16]
7855 ERR Sep 23 15:01:20.324523 (348:2292) SECUREAPP-SECERR_DETAIL: ** SEC-ERR: code:[11]([UNKNOWN_ERR]) subcode:[0]([N/A])
7856 ERR Sep 23 15:01:20.325041 (348:2292) SECUREAPP-SECERR_DESC: ** SEC-ERR: desc [ssl setup failed]
From CUCM, we are getting this:
07275357.000 |14:58:46.457 |AppInfo |[3, 100, 247, 138]: HandleSSLError - Certificate verification failed:(Verification error:2)- unable to get issuer certificate for 10.178.99.71:51537
ITL and CTL checksum on the phone are the same as the publisher, so no error on that. This is confirmed by the below phone logs
UREAPP-validateSignedCTL: new TL matches old, not updating
09-30-2019 01:50 AM
10-01-2019 08:01 PM
Hi Rajan
No. There was no CTL file before we switched to mixed mode.
Regards
Esther
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide