Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1069
Views
0
Helpful
6
Replies

CUCM 11.0 - Tomcat Certificate Upload Probem

Josh Edwards
Level 4
Level 4

‎10-16-2015 06:59 AM - edited ‎03-19-2019 10:14 AM

Hello - I'm having trouble uploading a CA signed certificate for my tomcat service... UCM Version 11.0(1a).

 

I've generated the Multi-Server SAN CSR and had it signed by the internal CA - I've uploaded the internal CA root and subordinate certificates as tomcat-trust.

The problem is when I attempt to upload the new CA signed tomcat certificate, the page just hangs at the "Loading, please wait." screen - I've let it sit like that until the browser session times out, only to log-in again and find the tomcat certificate is still self signed...

I've tried this with IE and Chrome - both behave the same.

 

has anybody else experienced this issue?

Labels:
0 Helpful
6 Replies 6

Rob Huffman
Hall of Fame
Hall of Fame

‎10-16-2015 08:10 AM

Hi Josh,

 

Just wanted to make sure you had seen this change in behavior bug;

 

The CUCM Guide 11.0 to be updated for Tomcat Cert and TFTP service
CSCuv75866

 

 

Symptom:
The CUCM 11.0 documentation is not updated to mention that whenever the Tomcat certificate is renegerated or uploaded, the TFTP service needs to be deactivated and activated. Else the TFTP continues to offer the old cached self-signed tomcat certificate.

Conditions:
Tomcat certificate is renegerated or uploaded

Workaround:
TFTP service needs to be deactivated and activated 

 

Cheers!

Rob

0 Helpful

Josh Edwards
Level 4
Level 4
In response to Rob Huffman

‎10-16-2015 08:53 AM

Hey Rob - I don't believe that bug is applicable to this issue... I'm not even able to get the new certificate to upload to the server (however, I restarted the tomcat service before attempting to upload the new certificate and again, the browser still hangs at the "Loading, please wait." screen)

 

Josh

0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to Josh Edwards

‎10-16-2015 09:05 AM

I did that in my lab to a 11.0.1.20000-2 and had no problems, I'm about to do the same in a while for a video I'm recording on how to sign certificates, I don't think I'll have any problems.

I usually only use Chrome, up to the whatever is the latest version to get into my CUCM and had no problems, have you verified the .cer file has no problems??

HTH

java

if this helps, please rate
0 Helpful

Josh Edwards
Level 4
Level 4
In response to Jaime Valencia

‎10-17-2015 03:04 PM

Hey Jamie - The .cer file seems fine - I'm able to open it in windows and everything looks ok... 

 

I'm having the same problem on two certs int this cluster... the tomcat multi-server SAN cert for 6 ucm/imp nodes and the multi-server SAN cert for the 2 imp nodes - I'm going to try without the multi-server SAN option and see if individual certs per service per server works

0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee
In response to Josh Edwards

‎10-18-2015 05:45 PM

Interesting, I finished with the video and was able to upload the cert for tomcat without any issue, and I've done both, for a single server, and multi-server.

Are you local to the server??

Have you tried with other web browsers???

HTH

java

if this helps, please rate
0 Helpful

Josh Edwards
Level 4
Level 4
In response to Jaime Valencia

‎10-22-2015 06:39 PM

I've discovered the cause of this issue... the customer's internal CA is configured in a manner that UCM will not accept:

 

the Subordinate CA that actually signed the certificates has the same CN as the Root CA that signed it's certificate - UCM does not actually allow you to upload two tomcat-trust certificates with the same CN (it just overwrites the Root with the Subordinate)...  because of this, the server is not able to build the complete trust relationship and unfortunately, rather than throwing an error, the web interface just hangs...

0 Helpful
Customers Also Viewed These Support Documents