02-01-2016 02:10 PM - edited 03-17-2019 05:41 AM
Long story short - I generated CSRs for tomcat and CallManager certificates then signed them with an OpenSSL CA. Tomcat went well, but CallManager isn't pushing files to the phones. No TFTP (directory, ring tones, etc.). Trust List Update Failed. "show itl" command shows an invalid ITL.
I'm not sure if there's something wrong with the cert or if it's because my CAPF and TVS certs are currently expired. My cluster is non-secure so at this point I'm good with backing out and regenerating self-signed across the board to renew them, but I'm concerned that if I regenerate the CallManager, the phones still won't trust it, and then regenerating the TVS too would break trust completely. I'm just going off all the scare warnings in documentation and guides, so sorry if my lingo is poor.
Any advice or safe steps? I'm wary of blanking out the ITLs with the pre-rollback feature because it says Extension Mobility will not work while it's set. All user phones are logged in profiles, so I'd like to avoid the chaos of our entire corporation having to log back into their phones.
CUCM version is 9.1(2)
02-01-2016 04:38 PM
You probably didn't follow the right order to do this. When you regenerate your cucm certs you need to ensure that you don't do it all at once. You do one server first then you reboot your phones. Thus us because the phones need to have a TVS server they trust before downloading the new itl file presented by the new cucm cert. Your only option now us to manually delete the itl files on the phones
02-01-2016 04:47 PM
I stopped the TFTP service on the publisher and reset all phones so they would register to the sub. Then I uploaded the new signed cert and restarted the CallManager, TVS and TFTp services and then followed the same steps on the subscriber. I followed this document http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html
The only thing I didn't do was blank out the ITL file since, as I said in the original post, I was afraid that would log everyone off their phones.
I also tried manually deleting the ITL file on a couple phones and it still wouldn't pull the new one. This is why I'm hoping I can regenerate the TVS cert to resolve this. This is the error I get on both CM nodes when I check the ITL
admin:show itl
The checksum value of the ITL file:
#alphanumericstring(MD5)
#anotheralphanumericstring(SHA1)
Length of ITL file: 0
The ITL File was last modified on Mon Feb 01 12:36:59 EST 2016
Parse ITL File
----------------
Invalid ITL file. Error skipping past version.
Error parsing the ITL File.
02-01-2016 06:32 PM
Regenerating the expired TVS and CAPF certs didn't help, but I regenerated the CallManager cert, overwriting the one I issued from the CA, and we're good now. Trust Lists are updated on the endpoints. I can't find any supporting documentation, but I'm thinking the problem was the CallManager cert having a different CN than the TVS and CAPF, or that they were expired and unable to authenticate the new cert.
As I don't have a specific need to enable secure functionality, I'll leave it be. Was just trying to be proactive. Thanks for the response.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: