cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
287
Views
10
Helpful
7
Replies
Highlighted
Beginner

"Host Not Found" error received when attempting to use the corporate directory

Good morning - We just recently started receiving this error a couple of days ago. Nothing in the environment changed, but the directory simply stopped working. What is even more odd is that my phone (8865) could browse the directory yesterday but it can today. Most of our phones are 7900 series phones; and I'm on callmanager relase 9.1.2 (I know - I'm upgrading VERY soon but want to get these errors cleaned up first!). I've factory reset a phone, and upgraded the firmware on it with no luck. Some 7900 series phones seem to be ok though, which makes this scenario even more strange. I have found some other threads that suggested resetting the Trust Verification Service, which I did but it didn't do anything. It's not a directory sync/ldap issue because some phones can still see the current directory. I'm at a loss; any suggestions?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Cisco Employee

Yes, doing ALL certificates at the same time in all servers breaking the TVS/ITL trust, or not giving enough time for the certificates to propagate in the cluster and the phones becoming aware of them.

 

As long as you follow the procedure from the documentation, and give enough time for certificates to replicate to the cluster so phones can update the ITL with the new certificates, you should be fine.

 

If you're still very nervous about doing this, you can use the Prepare Cluster for Rollback to pre 8.0 parameter which would create a blank ITL and remove the trust from the phones (it will involve resetting the phones as well), then you do all the certificate regeneration you need in your cluster, and then set the parameter back to false so phones download the new ITL with the new certificates.

HTH

java

if this helps, please rate

View solution in original post

7 REPLIES 7
Highlighted
Beginner

Are your phones configured to use a hostname or an IP Address for Directory Services?

 

If hostname, did the DNS entry change? Did the DNS domain the phones are given change?

Highlighted

I apologize, I forgot to mention that. They are using ip addresses. Looking at the configs of a phone where the directory is working vs one that is not (same model) they are identical. It's very strange.

 

I think I may have found the issue - My CallManager, TVS, and CAPF self signed certificates expired two days ago, which coincidentally was the last day the directory worked. I can't answer why some aren't working, but could this be the case? I know very little about certificates, but I would think there has to be something to that....

 

 

Highlighted

yup....that is likely the issue

Highlighted
Hall of Fame Cisco Employee

Are your certificates still valid, or are they expired?

HTH

java

if this helps, please rate
Highlighted

I found a very helpful article listing the certificates and the impact to the system when each certificate expires.  According to the article, Tomcat.pem will affect the corporate directory. We (and by we I mean TAC) just renewed the Tomcat.pem on my pub and sub because my UCCX/Finesse users could no longer log in with their AD accounts - so those are both renewed until 2024.

 

After reading the recommended procedure to update Callmanager.pem TVS, CAPF.pem, and IPSec.pem after hours, I'm a bit (actually very) nervous to do this even after I get a good backup because CUCM 9.1.2 is no longer supported and if I run into an issue I'm dead in the water...

I verified I'm running non-secure mode, so I don't have to worry about CTL files. I'm comfortable performing a certificate regeneration either by CLI or GUI.

 

My most pressing question is how this will affect my phones when I'm doing this? I do see that at some point a soft reset of phones will happen, which is fine as long as  I do it as late as possible. What are the chances that something catastrophic will happen during this process? Have you encountered anything terrible happening when performing a certificate regen?

Highlighted
Hall of Fame Cisco Employee

Yes, doing ALL certificates at the same time in all servers breaking the TVS/ITL trust, or not giving enough time for the certificates to propagate in the cluster and the phones becoming aware of them.

 

As long as you follow the procedure from the documentation, and give enough time for certificates to replicate to the cluster so phones can update the ITL with the new certificates, you should be fine.

 

If you're still very nervous about doing this, you can use the Prepare Cluster for Rollback to pre 8.0 parameter which would create a blank ITL and remove the trust from the phones (it will involve resetting the phones as well), then you do all the certificate regeneration you need in your cluster, and then set the parameter back to false so phones download the new ITL with the new certificates.

HTH

java

if this helps, please rate

View solution in original post

Highlighted

Thank you very much for your help - I'm much more comfortable doing this now. I do have another question or two. When viewing certificates, I see a couple CAPF-xxxxxxxx.pem trust certificates that are expired. How would I go about recreating all of those? I see I can delete them, but if I need to recreate them I don't have any idea what is actually using those certificates. How do I find out if I even need those any longer?

To answer your questions, all my self-signed and trust certificates are expired, (they expired Monday of this week). 

 

Following the documentation, just to be safe I'll use the prepare for cluster rollback feature. I have one publisher and one subscriber; I plan on doing all of my certificates on the publisher, waiting approximately 1/2 hr, then do the subscriber. I imagine since I have a cups pub and sub I'll need to upload the new cm certs to each as well.

 

As always, I appreciate your help; your videos have helped me countless times!