01-31-2024 10:26 AM
Currently running the connection as non secure but have been tasked to move to Secure SIP Profile on the trunk.
Playing with this guide https://www.cisco.com/c/en/us/support/docs/unified-communications/unity-connection/211622-Configuration-Example-for-Secure-SIP-Int.html from 2018.
under "2. Add the TFTP server reference" it states I have to use the FQDN, and it has to match the CN= of the call manager Cert. Well, my CallManager Cert is a singe multisan cert that covers all 5 nodes in my cluster, and the FQDN does not resolve in DNS, but all the Subj Alt names in the cert do resolve.
Ideally I would like to put my 2 TFTP server FQDNs in there and have it work like magic, but I have a feeling I may have to reach out to our DNS crew and request something like a CNAME to make the CN= entry resolvable, but then that would limit me to just one IP and if that happens to be down I have no backup to go to.
Has anyone run into this yet? Any recommendations? I am going to try the FQDNs of the TFTP servers tonight in a maint window to see if it goes, but if it doesn't I will need a solid plan-B
01-31-2024 10:58 AM
Not sure I understand what you mean by “FQDN does not resolve in DNS”, can you please elaborate and clarify? With multi SAN certificate you would have all the nodes in your cluster in the SAN and that would make the certificate check succeed whatever server FQDN you use as long as it’s in the SAN of the multi SAN certificate.
01-31-2024 11:05 AM
Oh, yes of course. in the CallManager Certificate when I created the CSR back in 2021 Cisco automatically put in:
CN = ULDF-VLSC-UCMP1V-ms."domain snippped"
OU = USAF
OU = PKI
OU = DoD
O = U.S. Government
C = US
Well, that CN is not resolvable because of the -ms at the end of the hostname.
But under Subj Alt names I have:
DNS Name=ULDF-AS-TFTP1V."domain snipped"
DNS Name=ULDF-AS-TFTP2V."domain snipped"
DNS Name=ULDF-VLSC-UCMP1V."domain snipped"
DNS Name=ULDF-VLSC-UCMS2V."domain snipped"
DNS Name=ULDF-VLSC-UCMS1V."domain snipped"
Which are all resolvable.
01-31-2024 01:12 PM
Thanks! That is the name of the multi SAN certificate, not a FQDN of anything in your cluster.
01-31-2024 01:18 PM
And Thank YOU as well!! That is what I figured, but any time a Cisco guide states "must match the ..." even though it makes no sense to me I get tense heh.
All if for naught for tonight anyhow. for some reason My Unity Nodes throw an error when I try to get to Cisco Unity Connection Servicability -> Tools -> Service Management about my account being disabled or expired even though I use that account daily in RTMT and Web Admin Recovery URL when my SSO isn't working. Put up a TAC case to have them take a look in Root to figure that out.
Regards,
Rob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide