05-25-2014 01:34 PM - edited 03-19-2019 08:13 AM
Hi,
If you enable the unified messaging service on Unity Connection you have the option to validate the SSL certificates. For some reason it's not working. I really don't have solid expertise in Exchange or with server certificates, so I'm reaching out for some help. Environment: Exchange 2013 64-bit on Windows server 2008 R2 64-bit.
To me it's not clear what is going wrong, if it's exchange or unity connection that throws the error. I find the Cisco documentation not clear on this subject. It doesn't state what specific certificates need to be uploaded on CUC, so I took the root certificate and the server certificate. I uploaded both to 'tomcat-trust' and 'connection-trust' as descibed in the docs. In Wireshark traces I can see an encrypted handshake and no errors.
I followed all steps in this document:
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/9x/unified_messaging/guide/9xcucumgx/9xcucumg020.html#wp1348034
If I don't validate the certificates the integration is working perfectly. When I enable the option to validate the certificates and I test with a UM account the error I receive is:
Diagnostic=[Peer certificate cannot be authenticated with given CA certificates -- SSL certificate problem: unable to get local issuer certificate] Verb=[POST] url=[https://WIN-HQU5PTR49V3.demo.be/EWS/Exchange.ASMX] request=[<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"> <soap:Header> <t:RequestServerVersion Version="Exchange2007_SP1"/> <t:ExchangeImpersonation> <t:ConnectingSID> <t:PrimarySmtpAddress>weelen@demo.be</t:PrimarySmtpAddress> </t:ConnectingSID> </t:ExchangeImpersonation> </soap:Header> <soap:Body> <GetFolder xmlns="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"> <FolderShape> <t:BaseShape>Default</t:BaseShape> </FolderShape> <FolderIds> <t:DistinguishedFolderId Id="deleteditems"> <t:Mailbox> <t:EmailAddress>weelen@demo.be</t:EmailAddress> </t:Mailbox> </t:DistinguishedFolderId> </FolderIds> </GetFolder> </soap:Body> </soap:Envelope> ] response=[]
As this is a lab environment I don't have signed certificates, so I converted them with openssl (.der to .pem). In the troubleshooting guide they provide the workarround by not enabling this certificates validation. Is it even supposed to work like this?
I tried to change some settings from what I found in several other posts on this forum, but the problem remains.
Is there another way to test this?
What traces can be looked at on CUC to see what's going wrong with the certificates?
Thanks for any useful information.
KR,
Wouter
Solved! Go to Solution.
05-27-2014 08:30 AM
If you are using a self-signed certificate in your lab, a self-signed certificate cannot be validated. You would need to disable this option in your configuration.
D. Hailey
05-27-2014 08:30 AM
If you are using a self-signed certificate in your lab, a self-signed certificate cannot be validated. You would need to disable this option in your configuration.
D. Hailey
05-27-2014 10:06 AM
Hi D. Hailey,
Thanks for the answer. I guess I must have been too tired that night to read complete documentation (or just too lazy). The documentation is indeed clear on this:
"Self-signed certificates cannot be validated. If you selected HTTPS from the Web-Based Protocol list, and if you are using self-signed certificates, do not check the Validate Certificates for Exchange Servers check box. If you do check the check box, Connection will not be able to access Exchange"
Now that's an easy 5 points (for the effort on answering n00b questions).
But why not changing the parameter to "Validate public certificates for Exchange Servers" if that's the only way to go? Must just been me...
Thanks
Wouter
05-27-2014 10:42 AM
Well, I don't have much say in whether or not the parameter name itself should be changed. I don't really see it as being an issue but that's my opinion. In general, I don't typically use certificate validation but, like everything, I'm sure there are 2 sides to that story depending on who you talk to.
Hailey
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide