Online CA feature does not work

quevedo_lopez · ‎06-22-2020

Hi,

I'm trying to setup on my Lab the Online CA feature with no luck. I've followed this guide but i can't manage to work this.

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/214501-configure-automatic-certificate-enrollme.html

I did the workaround suggested by Cisco on the bug CSCvs66844 and i have the same version (12.5.1.11900-146) that it's related to the bug, but the situation persist. I did a debug and says.

14:41:21.291 | debug Starting CAPF
14:41:21.494 | CServiceParameters::Init() OnlineCA Initialized
14:42:34.450 | debug ERROR:CAPF sigusr registered
14:42:34.450 | debug ERROR:cache thread started
14:42:34.465 | debug capfLoadCAPFKey(file:'/usr/local/cm/.security/CAPF/keys/CAPF_priv.der')
14:42:34.471 | debug loadFile('/usr/local/cm/.security/CAPF/keys/CAPF_priv.der')
14:42:34.471 | debug loadFile() successfully loaded file: '/usr/local/cm/.security/CAPF/keys/CAPF_priv.der'
14:42:34.471 | debug Successfully loaded CAPF public/private key pair
14:42:34.471 | debug loadFile('/usr/local/cm/.security/CAPF/certs/CAPF.der')
14:42:34.471 | debug loadFile() successfully loaded file: '/usr/local/cm/.security/CAPF/certs/CAPF.der'
14:42:34.471 | debug Successfully loaded CAPF cert '/usr/local/cm/.security/CAPF/certs/CAPF.der'
14:42:34.497 | debug Minimum version configured is 1.2
14:42:34.498 | debug CA Type is Online CA, setting up EST Connection
14:42:34.498 | debug Inside setUpESTClient
14:42:34.498 | debug Inside read_binary_file()
14:42:34.498 | debug Completed action in read_binary_file()
14:42:34.498 | debug cacert read success. cacert length : 2118
14:42:34.499 | debug EST context ectx initialized
14:42:34.896 | debug CA Credentials retrieved
14:42:34.896 | debug est_client_set_auth() Successful!!
14:42:34.896 | debug EST set server details success!!
14:42:34.896 | debug Free cacert...
14:42:34.896 | debug Setting the timeout on EST client to 60 seconds
14:42:34.896 | debug In capfListenPhoneConn
14:42:34.900 | debug IP_Mode = 0
14:42:34.900 | debug SockServ[i] = 0x00000010
14:42:34.930 | debug Socket 0x00000010 ready for connection with AF_INET family, on port 3804
14:42:34.930 | debug IP_Mode = 0
15:01:55.109 | debug FD_ISSET i=0, SockServ=10

15:01:55.109 | debug Accepted TCP connection from socket 0x00000010
, fd = 10
15:01:56.379 | debug 2:SEPC4B36A6DCB85:Message does not contain a certificate.
15:01:56.379 | debug 2:SEPC4B36A6DCB85:Retrieved SUDI cert from message.
15:01:56.379 | debug 2:SEPC4B36A6DCB85:Message does not contain sha2 datablk.
15:01:56.379 | debug 2:SEPC4B36A6DCB85:hashedfilename is '/usr/local/cm/.security/CAPF/certs/417aa245.0'
15:01:56.379 | debug 2:SEPC4B36A6DCB85:hashedfilenamelen is '52'
15:01:56.386 | debug 2:SEPC4B36A6DCB85:Signature ok
15:02:06.218 | debug 2:SEPC4B36A6DCB85:In capfIsDevCTI()
15:02:06.219 | debug 2:SEPC4B36A6DCB85:KeyType 0
15:02:06.347 | debug 2:SEPC4B36A6DCB85:capfGetKeepAliveTime:Timer expiry is : 15 minute
15:02:06.351 | debug 2:SEPC4B36A6DCB85:CA Mode is OnlineCA, Initiating Automatic Certificate Enrollment
15:02:06.351 | debug 2:SEPC4B36A6DCB85:Calling enrollCertUsingEST() csr_file=/tmp/capf/csr/SEPC4B36A6DCB85.csr
15:02:06.351 | debug 2:SEPC4B36A6DCB85:Inside X509_REQ *read_csr()
15:02:06.351 | debug 2:SEPC4B36A6DCB85:Completed action in X509_REQ *read_csr()
15:02:06.390 | debug 2:SEPC4B36A6DCB85:Enrollment rv = 53 (EST_ERR_FQDN_MISMATCH) with pkcs7 length = 0
15:02:06.390 | debug 2:SEPC4B36A6DCB85:est_client_enroll_csr() Failed! Could not obtain new certificate. Aborting.
15:02:06.390 | debug 2:SEPC4B36A6DCB85:Return value from enrollCertUsingEST() : 53
15:02:06.390 | debug 2:SEPC4B36A6DCB85:Online Cert Signing Failed

Thanks in advanced.