10-16-2015 06:59 AM - edited 03-19-2019 10:14 AM
Hello - I'm having trouble uploading a CA signed certificate for my tomcat service... UCM Version 11.0(1a).
I've generated the Multi-Server SAN CSR and had it signed by the internal CA - I've uploaded the internal CA root and subordinate certificates as tomcat-trust.
The problem is when I attempt to upload the new CA signed tomcat certificate, the page just hangs at the "Loading, please wait." screen - I've let it sit like that until the browser session times out, only to log-in again and find the tomcat certificate is still self signed...
I've tried this with IE and Chrome - both behave the same.
has anybody else experienced this issue?
10-16-2015 08:10 AM
Hi Josh,
Just wanted to make sure you had seen this change in behavior bug;
Symptom:
The CUCM 11.0 documentation is not updated to mention that whenever the Tomcat certificate is renegerated or uploaded, the TFTP service needs to be deactivated and activated. Else the TFTP continues to offer the old cached self-signed tomcat certificate.
Conditions:
Tomcat certificate is renegerated or uploaded
Workaround:
TFTP service needs to be deactivated and activated
Cheers!
Rob
10-16-2015 08:53 AM
Hey Rob - I don't believe that bug is applicable to this issue... I'm not even able to get the new certificate to upload to the server (however, I restarted the tomcat service before attempting to upload the new certificate and again, the browser still hangs at the "Loading, please wait." screen)
Josh
10-16-2015 09:05 AM
I did that in my lab to a 11.0.1.20000-2 and had no problems, I'm about to do the same in a while for a video I'm recording on how to sign certificates, I don't think I'll have any problems.
I usually only use Chrome, up to the whatever is the latest version to get into my CUCM and had no problems, have you verified the .cer file has no problems??
10-17-2015 03:04 PM
Hey Jamie - The .cer file seems fine - I'm able to open it in windows and everything looks ok...
I'm having the same problem on two certs int this cluster... the tomcat multi-server SAN cert for 6 ucm/imp nodes and the multi-server SAN cert for the 2 imp nodes - I'm going to try without the multi-server SAN option and see if individual certs per service per server works
10-18-2015 05:45 PM
Interesting, I finished with the video and was able to upload the cert for tomcat without any issue, and I've done both, for a single server, and multi-server.
Are you local to the server??
Have you tried with other web browsers???
10-22-2015 06:39 PM
I've discovered the cause of this issue... the customer's internal CA is configured in a manner that UCM will not accept:
the Subordinate CA that actually signed the certificates has the same CN as the Root CA that signed it's certificate - UCM does not actually allow you to upload two tomcat-trust certificates with the same CN (it just overwrites the Root with the Subordinate)... because of this, the server is not able to build the complete trust relationship and unfortunately, rather than throwing an error, the web interface just hangs...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide