Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2832
Views
0
Helpful
2
Replies

Jabber in iPhone 11 pro getting Certificate error

Rocky8971
Level 1
Level 1

‎03-25-2020 10:09 PM - edited ‎03-26-2020 04:31 AM

When our clients are logged in to Jabber there are 2 pop-ups for certificate warning when he accepts all the certificate pop-ups again error gets pop-up(Repeatedly for every 2 min).
How is it possible to disable this warning? Can anyone help me? Is it still a bug or am I doing something wrong?
The only certificate alerts I see are for when the Client connects internally.
CUCM Version:- 11.5.1
Using a Self-signed certificate.
The Screenshot attached shows errors from what looks like the TFTP Server.
The Client is also connected to WiFi, looks like they may be able to reach the internal network.
Configurations in Android and CUCM are the same in both situations. Nothing is changed.
Please find in attachment the error message.

 

Jabber error snap.JPEG

 

2020-03-24 16:44:24,277 INFO [0x000000010718d840] [i/ui/cert/YLCInvalidCertAlertView.m(118)] [UI.Action.User] [-[YLCInvalidCertAlertView initWithDerCertificate:referenceID:certName:response:allowUserAccept:persistAcceptedDecision:]_block_invoke] - user accpet the Certificate Alert for NILcucmsub2.nilesuq.com,and persistAcceptedDecision value is 1

2020-03-24 16:44:24,277 DEBUG [0x000000010718d840] [/InvalidCertNotificationManager.cpp(372)] [csf.cert] [acceptInvalidCert] - User has accepted the request with fingerprint b5 d4 bf 78 bf 7e 10 53 b9 3a 5e 54 61 39 6f 24

2020-03-24 16:44:24,277 DEBUG [0x000000010718d840] [/InvalidCertNotificationManager.cpp(396)] [csf.cert] [acceptInvalidCert] - Signal has been sent.

2020-03-24 16:45:25,989 INFO [0x000000010718d840] [i/ui/cert/YLCInvalidCertAlertView.m(118)] [UI.Action.User] [-[YLCInvalidCertAlertView initWithDerCertificate:referenceID:certName:response:allowUserAccept:persistAcceptedDecision:]_block_invoke] - user accpet the Certificate Alert for nilesuq.in,and persistAcceptedDecision value is 1

2020-03-24 16:45:25,989 DEBUG [0x000000010718d840] [/InvalidCertNotificationManager.cpp(372)] [csf.cert] [acceptInvalidCert] - User has accepted the request with fingerprint cb fd bb 66 cb 7c f1 69 82 49 bf af 19 bd 2e f7

2020-03-24 16:45:25,989 DEBUG [0x000000010718d840] [/InvalidCertNotificationManager.cpp(396)] [csf.cert] [acceptInvalidCert] - Signal has been sent.

2020-03-24 17:12:21,073 INFO [0x0000000106f7d840] [i/ui/cert/YLCInvalidCertAlertView.m(118)] [UI.Action.User] [-[YLCInvalidCertAlertView initWithDerCertificate:referenceID:certName:response:allowUserAccept:persistAcceptedDecision:]_block_invoke] - user accpet the Certificate Alert for NILCUCMSUB2.nilesuq.com,and persistAcceptedDecision value is 1

 

Line 23099: 2020-03-25 14:22:23,636 INFO [0x0000000107001840] [i/ui/cert/YLCInvalidCertAlertView.m(118)] [UI.Action.User] [-[YLCInvalidCertAlertView initWithDerCertificate:referenceID:certName:response:allowUserAccept:persistAcceptedDecision:]_block_invoke] - user accpet the Certificate Alert for NILIMPSUB2.nilesuq.com,and persistAcceptedDecision value is 1

Line 35503: 2020-03-25 14:23:29,569 INFO [0x000000010b905840] [i/ui/cert/YLCInvalidCertAlertView.m(118)] [UI.Action.User] [-[YLCInvalidCertAlertView initWithDerCertificate:referenceID:certName:response:allowUserAccept:persistAcceptedDecision:]_block_invoke] - user accpet the Certificate Alert for NILCUCMSUB3.nilesuq.com,and persistAcceptedDecision value is 1

Line 35504: 2020-03-25 14:23:29,569 DEBUG [0x000000010b905840] [/InvalidCertNotificationManager.cpp(372)] [csf.cert] [acceptInvalidCert] - User has accepted the request with fingerprint b5 d4 bf 78 bf 7e 10 53 b9 3a 5e 54 61 39 6f 24

Line 35505: 2020-03-25 14:23:29,569 DEBUG [0x000000010b905840] [/InvalidCertNotificationManager.cpp(396)] [csf.cert] [acceptInvalidCert] - Signal has been sent.

Line 43890: 2020-03-25 14:23:31,406 DEBUG [0x000000010b905840] [/InvalidCertNotificationManager.cpp(372)] [csf.cert] [acceptInvalidCert] - User has accepted the request with fingerprint cb fd bb 66 cb 7c f1 69 82 49 bf af 19 bd 2e f7

Line 43891: 2020-03-25 14:23:31,406 DEBUG [0x000000010b905840] [/InvalidCertNotificationManager.cpp(396)] [csf.cert] [acceptInvalidCert] - Signal has been sent.

looking into the logs i noticed :- 

020-03-25 11:37:52,791 INFO [0x000000010706d840] [i/ui/cert/YLCInvalidCertAlertView.m(175)] [UI.Cert] [-[YLCInvalidCertAlertView isCertificateAlreadySaved]] - Certificate for NILIMPSUB2.NIL.comnot exists
2020-03-25 11:37:52,791 INFO [0x000000010706d840] [ui/util/YLCAlertControllerManager.m(392)] [UI.Action.System] [-[YLCAlertControllerManager showAlertController:onView:withRect:]] - jabber show alert to user (Cisco Jabber cannot confirm the identity of the server NILIMPSUB2.NIL.com. Do you want to continue?

Also, could notice the following:

2020-03-24 16:44:20,905 ERROR [0x000000016fecb000] [ls/src/cert/ios/iOSCertVerifier.cpp(186)] [csf.cert.ios] [verifyCertificatePolicy] - Policy verification failed, the urls of CRL Distribution Points and Authority Information Access might be unreachable, result=5

1 person had this problem
Preview file
110 KB
0 Helpful
2 Replies 2

Jaime Valencia
Cisco Employee
Cisco Employee

‎03-26-2020 08:10 AM

Do you see the certificates in the device´s trust store (I think apple calls it a different way, but you get the idea) after you accept them?

If not, try to install them before using Jabber either manually or via MDM

 

Also, have you confirmed that those are indeed your certificates and that they do match the CN and the actual server's FQDN/hosntame?

HTH

java

if this helps, please rate
0 Helpful

Rocky8971
Level 1
Level 1
In response to Jaime Valencia

‎03-27-2020 12:22 AM

Hi @Jaime Valencia 

Thank you so much for all your time and response, I really do appreciate it.

Yes, i do see the certificates in the device´s trust store after accepting them. 

 

Also, have you confirmed that those are indeed your certificates and that they do match the CN and the actual server's FQDN/hosntame?

"Yes"

 

My friend has suggested me to follow below steps, I will try this & ll let you know whether its work for me /not

 

  1. " Reset the Jabber on the iPhone Pro 11, which should go ahead and erase all the existing certificates from the device.
  2. As soon as you have the fresh prompt on the application, Login to your Jabber Client, and Click OK on the prompt. This might just add the certs automatically to your Jabber Client’s Trust List. If not, then go to step 3.
  3. Then go to: Settings > General > About > Certificate Trust Settings. Under "Enable full trust for root certificates," turn ON trust for the certificate.
  4. Confirm the same on the device, if it shows as on the link: https://support.apple.com/en-in/HT204477 "

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents