cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
560
Views
0
Helpful
1
Replies

CUCM 14/15 and CAPF Online CA for phone certificates

dgeral1
Level 1
Level 1

I am attempting to set up CAPF with an online certificate authority (Windows Server 2022), first with CUCM 14 and now 15 in my lab.  I have used:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1/cucm_b_security-guide-1251/cucm_b_security-guide-1251_chapter_011110.html#task_B9F325F08AC3F8BF683B05FFFE724462

https://www.cisco.com/c/en/us/support/docs/security-vpn/certificate-authority-ca/214396-troubleshooting-capf-online-ca.html#anc2

and have reviewed many posts on here including:

https://community.cisco.com/t5/ip-telephony-and-phones/sigining-lscs-with-the-capf/td-p/3825206 

It seems that the request is not leaving my publisher.  I am reciving the error:
16:07:58.184 | debug 2:SEPF8A5C5EA789D:Enrollment rv = 22 (EST_ERR_AUTH_FAIL) with pkcs7 length = 0
16:07:58.184 | debug 2:SEPF8A5C5EA789D:est_client_enroll_csr() Failed! Could not obtain new certificate. Aborting.
16:07:58.184 | debug 2:SEPF8A5C5EA789D:Return value from enrollCertUsingEST() : 22
16:07:58.184 | debug 2:SEPF8A5C5EA789D:Online Cert Signing Failed

I have Wireshark running between my CUCM 15 instance and my Windows CA.  Both are built from scratch with only the settings listed in the Security Guide to remove any potential issues in our production settings for testing. I am not running in Mixed mode (currently the mode is Insecure).

I can see that both CAPF and CES services have started.  I have verified that the Service Parameters on my Publisher match what is the Security Guide and have tried my user name as both just the name and <name>@domain.com.  I have logged into https://<rootca>/certsrv as the CiscoRA account I created per the Security Guide and can see the CiscoRA template listed as available to request from.  I see the phone has requested a certificate and has generated a CSR which I verified was on the CUCM via the CLI.

In Wireshark I can see SIP traffic from my phone and can see the CUCM requestion NTP updates. I have been able to get successful pings between my CUCM on the CLI to the Windows CA.  What I don't see is any attempt from the CES/CiscoRA to the WIndows CA in Wireshark, the IIS logs, the Windows Event Logs, or any other log I have access to from RTMT as listed in the Troubleshooting guide.  

To me it looks like the authentication failure is internal to the CUCM itself but not sure how to troubleshoot it further or what settings I am missing.

Any help to make progress on this is appriciated.

Full Log
------------------------

5:51:11.548 HDR|02/13/2024 CAPF,StandAloneCluster,<---CUCM IP--->,Error,15.0.1.10000-32
15:51:11.548 | debug Starting CAPF
15:51:11.587 |CCMEncryption::hexToPassword():enter
15:51:11.587 |CCMEncryption::hexToPassword():exit
15:51:11.587 |CCMEncryption::DecryptText:enter
15:51:11.587 |CCMEncryption::DecryptText (Exit) (Success))
15:51:11.587 |CCMEncryption::hexToPassword():enter
15:51:11.587 |CCMEncryption::hexToPassword():exit
15:51:11.587 |CCMEncryption::DecryptText:enter
15:51:11.587 |CCMEncryption::DecryptText (Exit) (Success))
15:51:11.590 | CServiceParameters::Init() OnlineCA Initialized
15:51:22.444 | debug CertificateCache instance created
15:51:22.444 | debug CAPFChangeNotifyServer::instance ()
15:51:23.448 | debug CAPFChangeNotifyServer::instance () instace is created ()
15:51:23.449 | debug DB Cache Monitor thread started
15:51:23.449 | debug ERROR:Failed to create Directory[/tmp/capf/csr] : File exists
15:51:23.449 | debug ERROR:Failed to create Directory[/tmp/capf/cert] : File exists
15:51:23.449 | debug Change notification started
15:51:23.449 | debug ERROR:CAPF sigusr registered
15:51:23.450 | debug CAPFChangeNotifyServer::ProcessThreadProcIntermediary ()
15:51:23.450 | debug CAPFChangeNotifyServer::ProcessThreadProc ()
15:51:23.450 | debug CAPFChangeNotifyServer::ProcessThreadProc () - Subscribed the table certificate, certificateservicecertificatemap to DBNotify Client
15:51:23.450 | debug CAPFChangeNotifyServer::ProcessThreadProc () - Waiting for DBChange Notification
15:51:23.450 | debug capfLoadCAPFKey(file:'/usr/local/cm/.security/CAPF/keys/CAPF_priv.der')
15:51:23.450 | debug loadFile('/usr/local/cm/.security/CAPF/keys/CAPF_priv.der')
15:51:23.450 | debug ERROR:cache thread started
15:51:23.450 | debug loadFile() successfully loaded file: '/usr/local/cm/.security/CAPF/keys/CAPF_priv.der'
15:51:23.450 | debug Successfully loaded CAPF public/private key pair
15:51:23.450 | debug loadFile('/usr/local/cm/.security/CAPF/certs/CAPF.der')
15:51:23.450 | debug loadFile() successfully loaded file: '/usr/local/cm/.security/CAPF/certs/CAPF.der'
15:51:23.450 | debug Successfully loaded CAPF cert '/usr/local/cm/.security/CAPF/certs/CAPF.der'
15:51:23.451 | debug ERROR:Unable to find length - <error:00000000:lib(0):func(0):reason(0)>
15:51:23.451 | debug ERROR:Unable to parse NID_organizationalUnitName name AVA from CAPF cert IssuerName
15:51:23.451 | debug ERROR:Failed in BIO_read_filename
15:51:23.452 | debug Could not open the specified file for read hence using default configuration
15:51:23.452 | debug CA Type is Online CA, setting up EST Connection
15:51:23.460 | debug Inside setUpESTClient
15:51:27.460 | debug Inside read_binary_file()
15:51:27.460 | debug Completed action in read_binary_file()
15:51:27.460 | debug cacert read success. cacert length : 1318
15:51:27.460 | debug EST context ectx initialized
15:51:27.460 | debug CA Credentials retrieved
15:51:27.460 | debug est_client_set_auth() Successful!!
15:51:27.460 | debug est client server name CM1
15:51:27.460 | debug EST set server details success!!
15:51:27.460 | debug Free cacert...
15:51:27.460 | debug Setting the timeout on EST client to 60 seconds
15:51:27.460 | debug In capfListenPhoneConn
15:51:27.461 | debug IP_Mode = 0
15:51:27.461 | debug SockServ[i] = 0x00000019
15:51:27.461 | debug Socket 0x00000019 ready for connection with AF_INET family, on port 3804
15:51:27.461 | debug IP_Mode = 0
16:07:26.836 | debug FD_ISSET i=0, SockServ=19

16:07:26.836 | debug Accepted TCP connection from socket 0x00000019
, fd = 8
16:07:26.836 | debug Locked Mutex : thread id -1434466560
16:07:26.836 | debug sessCnt = 1
16:07:26.836 | debug TotalThreads = 1
16:07:28.071 | debug 2:SEPF8A5C5EA789D:Message does not contain a certificate.
16:07:28.071 | debug 2:SEPF8A5C5EA789D:Retrieved SUDI cert from message.
16:07:28.071 | debug 2:SEPF8A5C5EA789D:Message does not contain sha2 datablk.
16:07:28.071 | debug 2:SEPF8A5C5EA789D:hashedfilename is '/usr/local/cm/.security/CAPF/certs/417aa245.0'
16:07:28.071 | debug 2:SEPF8A5C5EA789D:hashedfilenamelen is '52'
16:07:28.072 | debug 2:SEPF8A5C5EA789D:Signature ok
16:07:28.073 | debug 2:SEPF8A5C5EA789D:Mandatory Reason Missing:sessId=2
16:07:58.012 | debug 2:SEPF8A5C5EA789D:In capfIsDevCTI()
16:07:58.013 | debug 2:SEPF8A5C5EA789D:KeyType 0
16:07:58.095 | debug 2:SEPF8A5C5EA789D:Mandatory Reason Missing:sessId=2
16:07:58.135 | debug getDeviceFileName deviceid is [CP-8865-SEPF8A5C5EA789D]
16:07:58.135 | debug 2:SEPF8A5C5EA789D:capfGetKeepAliveTime:Timer expiry is : 60 mi nute
16:07:58.136 | debug getDeviceFileName deviceid is [CP-8865-SEPF8A5C5EA789D]
16:07:58.136 | debug getDeviceFileName deviceid is [CP-8865-SEPF8A5C5EA789D]
16:07:58.136 | debug 2:SEPF8A5C5EA789D:CA Mode is OnlineCA, Initiating Automatic Certificate Enrollment
16:07:58.136 | debug 2:SEPF8A5C5EA789D:Calling enrollCertUsingEST() csr_file=/tmp/capf/csr/SEPF8A5C5EA789D.csr
16:07:58.136 | debug getDeviceFileName deviceid is [CP-8865-SEPF8A5C5EA789D]
16:07:58.136 | debug 2:SEPF8A5C5EA789D:Inside X509_REQ *read_csr()
16:07:58.137 | debug 2:SEPF8A5C5EA789D:Completed action in X509_REQ *read_csr()
16:07:58.184 | debug 2:SEPF8A5C5EA789D:Enrollment rv = 22 (EST_ERR_AUTH_FAIL) with pkcs7 length = 0
16:07:58.184 | debug 2:SEPF8A5C5EA789D:est_client_enroll_csr() Failed! Could not obtain new certificate. Aborting.
16:07:58.184 | debug 2:SEPF8A5C5EA789D:Return value from enrollCertUsingEST() : 22
16:07:58.184 | debug 2:SEPF8A5C5EA789D:Online Cert Signing Failed

 

1 Reply 1

dgeral1
Level 1
Level 1

Update for anyone else that may run into these issues:

1. DNS on the publisher did not show configured and I needed to set the dns primary and domain.
2. callmanager certificate was still self-signed.  Once I updated that to one signed by my enterprise CA I was able to start CES (momentarily).
3. 401 error persisted and I found that without SANs listed in the Web SSL certificates (which wasn't mentioned in the above links I don't think) I couldn't even get powershell to replicated step 1 in the process listed in the Troubleshooting guide.
4. With FIPS turned on, I finally caught an error in the nginx logs. 
nginx: [emerg] The certsrv auth plugin is not able to operate with FIPS mode on
nginx: [emerg] auth plugin certsrv_auth merge_srv_conf failed

Seems odd that FIPS mode would cause issues. However, error did change from 22 to 43
Enrollment rv = 43 (EST_ERR_IP_CONNECT) with pkcs7 length = 0