Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1276
Views
0
Helpful
6
Replies

Old cups xmpp certificate being presented to Jabber

Go to solution
rmfalconer
Level 1
Level 1

‎04-07-2022 09:37 AM

We are running version 12.5 SU5

Cups xmpp server was replaced with a new one about 2 weeks ago, issued from Digicert. It has the same root and issuing authorities as the previous one. 

We use Digicert for all CM certificates and have replaced many over the years so we are familiar with the process.

Everything seemed normal when installing the new one, the new cert replaced the old one in the cups cert store as expected. The old cert is not displayed in the cert store in the GUI or the CLI. 

However, somehow the old cert is still being presented to the Jabber clients which is causing an expiration message because the old one expired on April 5.

This is only happening when the clients are on-net and communication directly with the CM environment. 

When off-net, clients go through Expressway and do not get the old cert presented to them.

We've restarted the service but not the server yet. Plan to restart the server tonight.

 

Has anyone ever seen where an old certificate is still being presented even though it doesn't seem to exist in the cert store?

 

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎04-07-2022 09:45 AM

If you go to certificate management do you see the CSR listed or have the option to upload the certificate and see the option for that specific certificate?

HTH

java

if this helps, please rate
0 Helpful

Go to solution
rmfalconer
Level 1
Level 1
In response to Jaime Valencia

‎04-07-2022 02:56 PM

There are no CSRs listed and no option to upload anything. The new certificate is in the cert store as expected, serial number matches what it should be.

When looking at the serial number in the cert presented to Jabber, it matches the expired cert that is not visible anywhere in CM.

0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to rmfalconer

‎04-07-2022 03:16 PM

If the server restart doesn't do the trick, I'd suggest a TAC case as they might need to look at this with root to find out what's going on.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
rmfalconer
Level 1
Level 1
In response to Jaime Valencia

‎04-07-2022 03:22 PM

TAC has also recommended the restart. I was just curious if anyone had ever encountered this.

0 Helpful

Go to solution
rmfalconer
Level 1
Level 1
In response to rmfalconer

‎04-08-2022 05:53 PM

The restart fixed it on one node but not the other. We've moved everyone to the node that presents the correct certificate while working through it with TAC.

0 Helpful
Customers Also Viewed These Support Documents