Hello, guys.

Cisco Meeting App (CMA) users get this error - “Certificate failure. The connecting server is not presenting a valid certificate” Users can ignore this warning and are able to login.

This is what I get from MMP commands:

acano> xmpp status
Enabled : true
Clustered : false
Domain : kakaotalk.com
Listening interfaces : a
Key file : star_kakaotalk_com.key
Certificate file : star_kakaotalk_com.crt
CA Bundle file : star_kakaotalk_com_bundle.crt
Max sessions per user : unlimited
STATUS : XMPP server running

acano> xmpp callbridge list
***
Callbridge : acano
Domain :kakaotalk.com
Secret : xxxxxxxxxxxxxxxxxxx

acano> callbridge
Listening interfaces : a
Preferred interface : a
Key file : star_kakaotalk_com.key
Certificate file : star_kakaotalk_com.crt
Address : none
CA Bundle file : star_kakaotalk_com_bundle.crt
Edges
Address : none:none
Trusted certs : star_kakaotalk_com.crt

And, nslookup as following:

nslookup -type=SRV _xmpp-client._tcp.kakaotalk.com

_xmpp-client._tcp.kakaotalk.com service = 10 10 5222 acano.kakaotalk.com.

On webadmin page, in general section,

callbridge is set to acano

domain is set "kakaotalk.com"

shared secret is set same as the one I get from "xmpp callbridge list" command.

address is set [blank]

The certificate is a wildcard domain certificate and includes multi-domains which included "*.kakaotalk.com". This inspects as below:

acano> pki inspect star_kakaotalk_com.crt
Checking ssh public keys...not found
Checking user configured certificates and keys...found
File contains a PEM encoded certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d1:c1:fa:58:a5:4f:77:a6:56:f9:2d:cc:b2:70:84:23
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Organization Validation Secure Server CA
Validity
Not Before: Dec 21 00:00:00 2018 GMT
Not After : Mar 19 23:59:59 2021 GMT
Subject: C=xxxxx, ST=xxxx, L=Hwaseong-si/street=xxxx, xxxxxx, O=xxxxxxx, OU=Development Team, OU=xxxxxxxxxxxxxx, Inc., OU=Unified Communications, CN=*.kakaotalk.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:96:ff:14:b0:de:2d:40:96:9f:23:21:37:14:2e:
22:63:f0:ce:6d:4c:d2:18:92:87:d2:3e:80:e0:6b:
ee:cb:4e:fa:37:ec:4f:50:69:a5:6a:96:aa:02:f2:
6f:8f:b5:28:38:da:1d:0b:b3:66:70:68:5d:5f:33:
92:42:76:47:00:b7:6f:e8:0f:f5:60:0a:27:d4:54:
6d:6b:44:8f:f0:8f:77:c7:6e:a5:ba:83:77:3d:4a:
1a:0d:4e:5d:f0:11:24:b9:d5:6e:ac:2d:a8:c5:d8:
c6:58:97:8e:f5:2d:1d:36:5d:ef:6f:ad:56:02:a7:
fc:d8:04:62:74:63:f3:79:55:76:bf:a7:58:1a:7e:
af:72:3b:c7:bf:1b:b5:98:af:e1:3a:de:02:d9:b2:
cc:d0:7c:d8:2a:cc:0e:1a:62:1d:a0:1f:1f:c8:40:
f3:20:13:40:11:d0:65:73:e4:83:38:a9:f5:81:78:
70:a4:76:84:f0:00:d8:ff:92:4a:ac:9d:4c:76:94:
db:a0:f4:2e:81:5f:26:02:84:89:94:0b:7a:bb:e0:
e7:c7:8a:6b:a9:0d:e9:e4:7a:19:31:b5:c5:77:f3:
59:d6:d8:43:84:d0:20:09:3f:d2:c4:63:eb:55:eb:
b2:ec:22:dc:9a:6a:6b:7c:f7:07:73:ca:a4:27:50:
8d:7d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:9A:F3:2B:DA:CF:AD:4F:B6:2F:BB:2A:48:48:2A:12:B7:1B:42:C1:24

X509v3 Subject Key Identifier:
98:DA:C3:2C:8D:96:52:DA:BF:C4:BC:A6:13:35:35:A1:80:F0:B7:F3
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.2

X509v3 CRL Distribution Points:

Full Name:
URI:http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl

Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com

X509v3 Subject Alternative Name:
DNS:*.kakaotalk.com
1.3.6.1.4.1.11129.2.4.2:
...k.i.v.......q...#...{G8W.
.R....d6.......g..u......G0E.!..3..#..$.T...W^j.>.?...J.ZH\.9N.. .v...{..`/..+mwQ.}]<.~.K...m.(6..w.D.e......@....(.......1.?.3........g..v......H0F.!..z......<..$...U.e...h{3|..[.
...!......=......o..].....o^.i..}.....v.\.C....ED.^..V..7...G..s..^........g..x......G0E.!....@*.U..MS..,.....yz..Y..vl..U8. {:4..>\...f.C..p.?.K%.D....kk...
Signature Algorithm: sha256WithRSAEncryption
2a:b2:63:bd:aa:4f:eb:0c:5a:91:ea:10:85:ef:f8:43:61:e8:
d7:60:2f:f0:97:15:c6:b0:71:a8:bd:37:39:3e:66:85:ce:77:
e9:42:49:a1:da:15:08:67:c3:0a:49:6f:07:66:9c:e3:ce:b9:
b1:d5:f4:ff:03:b4:7a:7e:2c:53:c2:ee:53:f6:2f:4a:14:c8:
6c:cc:09:b5:3d:67:c2:6a:60:40:08:fb:8c:04:a4:51:24:69:
e4:9f:3c:d5:5c:3a:3b:74:c7:f7:9c:8f:13:c0:c4:cb:39:6b:
04:77:b1:51:e7:33:40:b7:70:d9:dc:89:15:28:e8:c6:9b:80:
f4:1e:3d:63:bd:79:c9:b8:50:3a:9e:a1:5f:e5:24:34:83:6e:
7a:95:55:a6:71:06:2f:69:82:34:c1:01:fb:c0:f0:24:c0:0e:
76:b3:47:41:db:ab:85:b1:7e:c3:8d:dd:39:a3:bf:3e:9e:ed:
67:b1:d3:02:66:f1:10:2a:e4:4e:59:35:82:62:bc:ac:65:a7:
87:39:de:80:ba:4b:73:1c:56:a6:53:64:cd:9e:0b:6a:80:5f:
06:24:1a:61:60:b5:ce:fa:8b:25:ea:c8:71:6b:80:08:72:25:
bf:b0:0e:7e:fd:7f:38:31:99:48:ba:c5:79:99:19:ba:5e:8e:
c4:9f:71:f5
acano>
------------------------------
1a:0d:4e:5d:f0:11:24:b9:d5:6e:ac:2d:a8:c5:d8:
c6:58:97:8e:f5:2d:1d:36:5d:ef:6f:ad:56:02:a7:
fc:d8:04:62:74:63:f3:79:55:76:bf:a7:58:1a:7e:
af:72:3b:c7:bf:1b:b5:98:af:e1:3a:de:02:d9:b2:
cc:d0:7c:d8:2a:cc:0e:1a:62:1d:a0:1f:1f:c8:40:
f3:20:13:40:11:d0:65:73:e4:83:38:a9:f5:81:78:
70:a4:76:84:f0:00:d8:ff:92:4a:ac:9d:4c:76:94:
db:a0:f4:2e:81:5f:26:02:84:89:94:0b:7a:bb:e0:
e7:c7:8a:6b:a9:0d:e9:e4:7a:19:31:b5:c5:77:f3:
59:d6:d8:43:84:d0:20:09:3f:d2:c4:63:eb:55:eb:
b2:ec:22:dc:9a:6a:6b:7c:f7:07:73:ca:a4:27:50:
8d:7d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:9A:F3:2B:DA:CF:AD:4F:B6:2F:BB:2A:48:48:2A:12:B7:1B:42:C1:24

X509v3 Subject Key Identifier:
98:DA:C3:2C:8D:96:52:DA:BF:C4:BC:A6:13:35:35:A1:80:F0:B7:F3
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.1.3.4
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.2

X509v3 CRL Distribution Points:

Full Name:
URI:http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl

Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com

X509v3 Subject Alternative Name:
DNS:*.kakaotalk.com
1.3.6.1.4.1.11129.2.4.2:
...k.i.v.......q...#...{G8W.
.R....d6.......g..u......G0E.!..3..#..$.T...W^j.>.?...J.ZH\.9N.. .v...{..`/..+mwQ.}]<.~.K...m.(6..w.D.e......@....(.......1.?.3........g..v......H0F.!..z......<..$...U.e...h{3|..[.
...!......=......o..].....o^.i..}.....v.\.C....ED.^..V..7...G..s..^........g..x......G0E.!....@*.U..MS..,.....yz..Y..vl..U8. {:4..>\...f.C..p.?.K%.D....kk...
Signature Algorithm: sha256WithRSAEncryption
2a:b2:63:bd:aa:4f:eb:0c:5a:91:ea:10:85:ef:f8:43:61:e8:
d7:60:2f:f0:97:15:c6:b0:71:a8:bd:37:39:3e:66:85:ce:77:
e9:42:49:a1:da:15:08:67:c3:0a:49:6f:07:66:9c:e3:ce:b9:
b1:d5:f4:ff:03:b4:7a:7e:2c:53:c2:ee:53:f6:2f:4a:14:c8:
6c:cc:09:b5:3d:67:c2:6a:60:40:08:fb:8c:04:a4:51:24:69:
e4:9f:3c:d5:5c:3a:3b:74:c7:f7:9c:8f:13:c0:c4:cb:39:6b:
04:77:b1:51:e7:33:40:b7:70:d9:dc:89:15:28:e8:c6:9b:80:
f4:1e:3d:63:bd:79:c9:b8:50:3a:9e:a1:5f:e5:24:34:83:6e:
7a:95:55:a6:71:06:2f:69:82:34:c1:01:fb:c0:f0:24:c0:0e:
76:b3:47:41:db:ab:85:b1:7e:c3:8d:dd:39:a3:bf:3e:9e:ed:
67:b1:d3:02:66:f1:10:2a:e4:4e:59:35:82:62:bc:ac:65:a7:
87:39:de:80:ba:4b:73:1c:56:a6:53:64:cd:9e:0b:6a:80:5f:
06:24:1a:61:60:b5:ce:fa:8b:25:ea:c8:71:6b:80:08:72:25:
bf:b0:0e:7e:fd:7f:38:31:99:48:ba:c5:79:99:19:ba:5e:8e:
c4:9f:71:f5

The bundle certificate inspects as below:

acano> pki inspect star_kakaotalk_com_bundle.crt

Checking ssh public keys...not found
Checking user configured certificates and keys...found
File contains a PEM encoded certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Validity
Not Before: Jan 19 00:00:00 2010 GMT
Not After : Jan 18 23:59:59 2038 GMT
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:91:e8:54:92:d2:0a:56:b1:ac:0d:24:dd:c5:cf:
44:67:74:99:2b:37:a3:7d:23:70:00:71:bc:53:df:
c4:fa:2a:12:8f:4b:7f:10:56:bd:9f:70:72:b7:61:
7f:c9:4b:0f:17:a7:3d:e3:b0:04:61:ee:ff:11:97:
c7:f4:86:3e:0a:fa:3e:5c:f9:93:e6:34:7a:d9:14:
6b:e7:9c:b3:85:a0:82:7a:76:af:71:90:d7:ec:fd:
0d:fa:9c:6c:fa:df:b0:82:f4:14:7e:f9:be:c4:a6:
2f:4f:7f:99:7f:b5:fc:67:43:72:bd:0c:00:d6:89:
eb:6b:2c:d3:ed:8f:98:1c:14:ab:7e:e5:e3:6e:fc:
d8:a8:e4:92:24:da:43:6b:62:b8:55:fd:ea:c1:bc:
6c:b6:8b:f3:0e:8d:9a:e4:9b:6c:69:99:f8:78:48:
30:45:d5:ad:e1:0d:3c:45:60:fc:32:96:51:27:bc:
67:c3:ca:2e:b6:6b:ea:46:c7:c7:20:a0:b1:1f:65:
de:48:08:ba:a4:4e:a9:f2:83:46:37:84:eb:e8:cc:
81:48:43:67:4e:72:2a:9b:5c:bd:4c:1b:28:8a:5c:
22:7b:b4:ab:98:d9:ee:e0:51:83:c3:09:46:4e:6d:
3e:99:fa:95:17:da:7c:33:57:41:3c:8d:51:ed:0b:
b6:5c:af:2c:63:1a:df:57:c8:3f:bc:e9:5d:c4:9b:
af:45:99:e2:a3:5a:24:b4:ba:a9:56:3d:cf:6f:aa:
ff:49:58:be:f0:a8:ff:f4:b8:ad:e9:37:fb:ba:b8:
f4:0b:3a:f9:e8:43:42:1e:89:d8:84:cb:13:f1:d9:
bb:e1:89:60:b8:8c:28:56:ac:14:1d:9c:0a:e7:71:
eb:cf:0e:dd:3d:a9:96:a1:48:bd:3c:f7:af:b5:0d:
22:4c:c0:11:81:ec:56:3b:f6:d3:a2:e2:5b:b7:b2:
04:22:52:95:80:93:69:e8:8e:4c:65:f1:91:03:2d:
70:74:02:ea:8b:67:15:29:69:52:02:bb:d7:df:50:
6a:55:46:bf:a0:a3:28:61:7f:70:d0:c3:a2:aa:2c:
21:aa:47:ce:28:9c:06:45:76:bf:82:18:27:b4:d5:
ae:b4:cb:50:e6:6b:f4:4c:86:71:30:e9:a6:df:16:
86:e0:d8:ff:40:dd:fb:d0:42:88:7f:a3:33:3a:2e:
5c:1e:41:11:81:63:ce:18:71:6b:2b:ec:a6:8a:b7:
31:5c:3a:6a:47:e0:c3:79:59:d6:20:1a:af:f2:6a:
98:aa:72:bc:57:4a:d2:4b:9d:bb:10:fc:b0:4c:41:
e5:ed:1d:3d:5e:28:9d:9c:cc:bf:b3:51:da:a7:47:
e5:84:53
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha384WithRSAEncryption
0a:f1:d5:46:84:b7:ae:51:bb:6c:b2:4d:41:14:00:93:4c:9c:
cb:e5:c0:54:cf:a0:25:8e:02:f9:fd:b0:a2:0d:f5:20:98:3c:
13:2d:ac:56:a2:b0:d6:7e:11:92:e9:2e:ba:9e:2e:9a:72:b1:
bd:19:44:6c:61:35:a2:9a:b4:16:12:69:5a:8c:e1:d7:3e:a4:
1a:e8:2f:03:f4:ae:61:1d:10:1b:2a:a4:8b:7a:c5:fe:05:a6:
e1:c0:d6:c8:fe:9e:ae:8f:2b:ba:3d:99:f8:d8:73:09:58:46:
6e:a6:9c:f4:d7:27:d3:95:da:37:83:72:1c:d3:73:e0:a2:47:
99:03:38:5d:d5:49:79:00:29:1c:c7:ec:9b:20:1c:07:24:69:
57:78:b2:39:fc:3a:84:a0:b5:9c:7c:8d:bf:2e:93:62:27:b7:
39:da:17:18:ae:bd:3c:09:68:ff:84:9b:3c:d5:d6:0b:03:e3:
57:9e:14:f7:d1:eb:4f:c8:bd:87:23:b7:b6:49:43:79:85:5c:
ba:eb:92:0b:a1:c6:e8:68:a8:4c:16:b1:1a:99:0a:e8:53:2c:
92:bb:a1:09:18:75:0c:65:a8:7b:cb:23:b7:1a:c2:28:85:c3:
1b:ff:d0:2b:62:ef:a4:7b:09:91:98:67:8c:14:01:cd:68:06:
6a:63:21:75:03:80:88:8a:6e:81:c6:85:f2:a9:a4:2d:e7:f4:
a5:24:10:47:83:ca:cd:f4:8d:79:58:b1:06:9b:e7:1a:2a:d9:
9d:01:d7:94:7d:ed:03:4a:ca:f0:db:e8:a9:01:3e:f5:56:99:
c9:1e:8e:49:3d:bb:e5:09:b9:e0:4f:49:92:3d:16:82:40:cc:
cc:59:c6:e6:3a:ed:12:2e:69:3c:6c:95:b1:fd:aa:1d:7b:7f:
86:be:1e:0e:32:46:fb:fb:13:8f:75:7f:4c:8b:4b:46:63:fe:
00:34:40:70:c1:c3:b9:a1:dd:a6:70:e2:04:b3:41:bc:e9:80:
91:ea:64:9c:7a:e1:22:03:a9:9c:6e:6f:0e:65:4f:6c:87:87:
5e:f3:6e:a0:f9:75:a5:9b:40:e8:53:b2:27:9d:4a:b9:c0:77:
21:8d:ff:87:f2:de:bc:8c:ef:17:df:b7:49:0b:d1:f2:6e:30:
0b:1a:0e:4e:76:ed:11:fc:f5:e9:56:b2:7d:bf:c7:6d:0a:93:
8c:a5:d0:c0:b6:1d:be:3a:4e:94:a2:d7:6e:6c:0b:c2:8a:7c:
fa:20:f3:c4:e4:e5:cd:0d:a8:cb:91:92:b1:7c:85:ec:b5:14:
69:66:0e:82:e7:cd:ce:c8:2d:a6:51:7f:21:c1:35:53:85:06:
4a:5d:9f:ad:bb:1b:5f:74
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
36:82:5e:7f:b5:a4:81:93:7e:f6:d1:73:6b:b9:3c:a6
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Validity
Not Before: Feb 12 00:00:00 2014 GMT
Not After : Feb 11 23:59:59 2029 GMT
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Organization Validation Secure Server CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:14:d9:85:f2:41:44:57:ff:30:44:1e:dc:3c:
44:a3:17:b8:6e:01:f8:a3:5f:c2:a9:21:1d:ce:59:
f4:ec:f3:88:a9:09:32:3c:b1:8b:63:a4:3e:27:36:
f3:8f:f9:38:66:2e:07:97:41:8f:4b:a6:dd:c3:5f:
9e:73:3c:e7:ca:20:0d:4f:7c:32:05:cf:c1:2e:48:
65:4a:85:d0:1f:56:31:6d:8e:e5:c6:32:d4:1b:bc:
9f:7d:96:fc:98:d7:4f:f8:f4:58:56:f8:e3:45:be:
91:18:82:e4:8a:be:af:cd:52:37:51:87:4f:1e:97:
c1:e8:3a:ae:f9:ff:46:e4:65:3f:3f:c3:47:83:2f:
cc:b8:42:5e:2d:7e:f7:5a:68:ae:5d:4b:c0:a6:35:
21:f5:86:a3:c8:49:8b:98:63:60:0d:c9:21:48:c2:
92:30:65:46:b2:86:35:04:42:25:7e:ad:a7:4e:4b:
12:40:00:7a:88:68:5c:6f:9f:a3:a4:78:11:21:ae:
3d:0b:0e:be:45:14:23:cf:eb:75:d7:f6:a0:f1:bc:
45:6c:5e:bc:a1:32:ec:f3:58:78:42:28:0b:3a:01:
76:f0:c5:a0:9e:c1:69:70:de:8f:4b:a6:79:df:f2:
76:b6:e3:0f:13:7c:18:3b:b1:51:6c:6a:20:39:ce:
9e:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4

X509v3 Subject Key Identifier:
9A:F3:2B:DA:CF:AD:4F:B6:2F:BB:2A:48:48:2A:12:B7:1B:42:C1:24
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
Policy: 2.23.140.1.2.2

X509v3 CRL Distribution Points:

Full Name:
URI:http://crl.comodoca.com/COMODORSACertificationAuthority.crl

Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt
OCSP - URI:http://ocsp.comodoca.com

Signature Algorithm: sha384WithRSAEncryption
69:8a:36:68:9a:1e:3b:65:0b:e0:7c:cf:a6:ab:71:3b:af:61:
a4:3f:e4:64:01:49:10:d3:1d:8f:e2:d5:ed:67:d3:9e:5b:97:
bd:42:1e:07:f9:d0:bb:6d:f7:32:95:5a:22:29:62:f8:0c:9c:
59:56:27:36:a0:22:12:11:fa:47:f4:51:c9:59:7b:29:4a:a5:
48:35:7c:c5:97:66:e0:27:25:3b:15:7a:32:75:4a:91:fb:a6:
6b:9e:e2:53:fa:0d:8c:13:fb:23:b8:0b:12:2c:ae:ed:db:1d:
47:90:d5:d0:93:69:76:91:38:15:34:d7:18:ea:7e:bc:6b:58:
de:2a:39:90:03:44:04:4a:56:d8:68:e5:f5:7c:69:7e:9e:7d:
54:4b:d0:d8:86:ab:67:66:13:57:5e:89:2a:17:ad:2d:ae:bd:
40:0e:66:ed:8a:ff:54:b4:c1:01:cb:a9:e0:47:ba:11:61:8f:
ad:ae:23:48:2a:c6:25:79:89:1c:41:04:95:c0:11:ea:57:2b:
d6:b4:97:fa:b1:e9:15:62:ec:4a:71:77:fd:f3:a1:9c:da:f6:
6b:00:29:c5:32:e7:fa:4e:ea:b3:2a:a7:18:97:1c:58:a7:42:
36:5f:ec:14:cf:f8:7b:0e:f7:dd:cc:88:15:9a:9a:5c:c8:f1:
20:c7:d1:86:72:a1:17:9b:ae:ba:fe:6c:a8:32:d1:00:76:49:
73:f7:3f:27:87:3c:b6:c9:2d:fa:aa:90:90:c9:0a:09:9f:c9:
69:1f:07:19:a9:bf:de:ba:f8:0b:88:82:44:16:10:7f:07:c0:
80:22:5f:7f:bc:30:de:ba:cd:07:79:64:56:d8:ff:f3:4f:9c:
30:bb:6e:1e:51:4b:e6:cd:bd:17:c4:c5:bf:c8:3f:8e:b1:1f:
8a:46:b7:06:43:6f:62:2d:cf:51:9d:45:ca:8a:e9:13:8b:c0:
c7:91:be:5b:b6:fa:37:4a:89:fe:f0:9d:da:13:26:22:2c:06:
90:3e:8b:13:98:a0:19:d6:dd:da:4a:48:7f:3d:0f:89:9d:24:
72:4b:0e:7b:44:ff:d4:36:b6:83:76:23:58:8b:14:6c:b8:5d:
f7:61:6d:39:76:ed:dd:12:3d:6b:87:88:97:91:be:c0:46:02:
1e:76:1c:dd:b6:af:5c:4f:f5:00:d6:9c:4d:a9:e0:9e:a2:8e:
fc:b1:16:79:5c:21:d3:45:81:9a:0c:39:6c:6d:28:d7:25:d2:
b7:11:90:d0:f6:de:6f:5e:f4:fa:a4:8b:66:77:72:2f:9b:90:
40:2c:52:12:60:f9:ff:b5:70:2e:89:9a:79:09:89:81:2d:ec:
5c:78:6f:81:87:f1:fc:55

Both matching and verifying give me positive results:

pki match star_kakaotalk_com.key star_kakaotalk_com.crt
pki verify star_kakaotalk_com.crt star_kakaotalk_com_bundle.crt

The recent change made to the server was to change the domain name "kakaotick.com" to "kakaotalk.com" Apart from configuring LDAP settings, I did change the domain names on every webadmin page including SIP dialout and inbound settings.

In MMP console, I did the following:

xmpp disable

xmpp callbridge del acano

xmpp domainkakaotalk.com

xmpp certs none

xmpp certs star_kakaotalk_com.key star_kakaotalk_com.crt star_kakaotalk_com_bundle.crt

xmpp enable

xmpp callbridge add acano

Then I changed the shared secret on webadmin page. For those certificates, starting all services show key matches and certificates are valid.

The new wildcard certificate installed seems to have no problem. It does include "*.kakaotalk.com" in CN and SAN. The same certificate and its bundle are installed on webbridge, and when I connect to acano.kakaotalk.com, the connection is secure and the web browser shows all certificates are working properly.

What I'm guessing is there might be something I missed out when I was changing the domain name and the server is still using the old domain name somehow. I have looked into every MMP command and web API, but I haven't found anything more.

I did try "xmpp reset" and run all of xmpp config commands again, but still the same.

CMA users are able log on with the new domain "username@kakaotalk.com".  It's just the certificate warning sign that doesn't go away. Before changing the domain, it used to work fine with old domain's wildcard certificate.

What could I be possibly missing here? Otherwise, is there anyway to debug this and find out what is really going wrong underneath?

Cisco Meeting Server (CMS) version 2.1.2

Huge thanks to anyone who could solve this problem.

certificate files are attached here.