Scenario#29 – Certificate expired – %CCM_UNKNOWN-CERT-0-CertExpiryEmergency

Posted: March 2, 2011 in Call Manager - CUCM, Miscellaneous, Real World Scenarios
Tags: , ,

For one of our customer we noticed several RTMT SyslogSeverityMatchFound alerts generated every few minutes for Certificates expiration. The alerts I was getting were as follows:

Feb 15 16:00:00, CCM-PUB, Emergency, Cisco Certificate Monitor, : 8947: Feb 15 16:00:00.57 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:tomcat Unit:tomcat Type:own-cert Expiration:Wed Mar 3 08:16:58:000 GMT 2010 Cluster ID: Node ID:CCM-PUB, 42

Feb 15 16:00:00, CCM-PUB, Emergency, Cisco Certificate Monitor, : 8948: Feb 15 16:00:00.57 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CallManager Unit:CallManager Type:own-cert Expiration:Thu Mar 4 08:41:45:00 Cluster ID: Node ID:CCM-PUB, 43

Feb 15 16:00:00, CCM-PUB, Emergency, Cisco Certificate Monitor, : 8949: Feb 15 16:00:00.58 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF Unit:CAPF Type:own-cert Expiration:Thu Mar 4 08:41:46:000 GMT 2010 / T Cluster ID: Node ID:CCM-PUB, 44

Feb 15 16:00:00, CCM-PUB, Emergency, Cisco Certificate Monitor, : 8950: Feb 15 16:00:00.58 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERGENCY_ALARM Message:Certificate expiration Notification. Certificate name:CAPF-e00e8760 Unit:CallManager-trust Type:trust-cert Expiration:Thu Mar 4 0 Cluster ID: Node ID:CCM-PUB, 45

Feb 15 16:00:00, CCM-PUB, Emergency, Cisco Certificate Monitor, : 8951: Feb 15 16:00:00.59 UTC : %CCM_UNKNOWN-CERT-0-CertExpiryEmergency: Certificate Expiry EMERG

These alerts are usually thrown if the certificates at Call manager are about to expire or expired.

I went into OS Admin and checked the status of all certificates:

Then I went into each of them to check the ‘Not After’ date:

The ones which were expired, I just regenerated them:

This stopped all RTMT alerts.

You can also regenerate certificates from CLI:

admin: set cert regen tomcat

Advertisements
Comments
  1. Ibrahim says:

    Hello,

    I am having the same issue. I regenerated the certificates of type cert, but the certificates of type trust-certs don’t have an option for regeneration. A specialist from cisco TAC suggested to delete the certificates, and they will be regenerated. Do I have to restart any service for this to happen?

    Thanks,
    Ibrahim

  2. asharsidd says:

    I don’t think there is any need to restart a service.

  3. Ibrahim says:

    Thanks

  4. CJ says:

    should i wait unitl after hours to delete the certificates ?

    thanks
    CJ

  5. asharsidd says:

    You can do it during production hours but I would recommend for a maintenance window if you can arrange one.

  6. neil says:

    Ibrahim, Did you do this? and did they just regenerate after you deleted?

    Thanks, Neil

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s