locked
OCSR1 QoE failing MTLS negotiation for receipt of QoE reports RRS feed

  • Question

  • Hi, 

    Error message recorded on QoE when FE attempts to submit a report:

    TL_WARN(TF_CONNECTION) [0]08C4.0940::02/13/2009-11:31:26.381.00000008 (QMS,Core.TlsNegotationFailedHander:242.idx(362))( 020266E5 )TLS Negotiation failed: ErrorCode=-2146762487
    FailureReason=UntrustedRemoteCertificate
    Microsoft.Rtc.Signaling.TlsFailureException: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider ---> Microsoft.Rtc.Internal.Sip.TLSException: incoming TLS negotiation failed; HRESULT=-2146762487
       at Microsoft.Rtc.Internal.Sip.TlsTransportHelper.HandleNegotiationFailure(Int32 status, Boolean incoming)
       at Microsoft.Rtc.Internal.Sip.TlsTransportHelper.IncomingTlsNegotiation(TransportsDataBuffer receivedData, TransportsDataBuffer& pDataToSend)
       at Microsoft.Rtc.Internal.Sip.TlsTransportHelper.NegotiateConnection(TransportsDataBuffer receivedData, TransportsDataBuffer& pDataToSend)
       at Microsoft.Rtc.Internal.Sip.TlsTransport.DelegateNegotiation(TransportsDataBuffer receivedData)
       at Microsoft.Rtc.Internal.Sip.TlsTransport.OnReceived(Object data)
       --- End of inner exception stack trace ---

     

    The SIPStack tracing on the FE, reports the QoE has rejected the attempt to setup a MTLS connection.

    The FE has a certificate issued by Digitcert with a chain of <server name> -> DigitCert Global CA -> Entrust.net Secure Server Certification Authority
    The Qoe has a certificate issued by the internal CA.

    I have check the DigitCert Global CA and Entrust.net Secure Server Certificate Authority are installed into the certificate store (Local computer : Trusted Root Certificate Authority and Intermediate Certification Authorities) And the Intended Purpose is set to "All".
    I have also checked the FE has the internal CA listed in the Local Computer: Trust Root Certifiate Authority.

    Kind of stumped now as to why the negotiation is still failling. Any suggections?

    regards
    John 
    Friday, February 13, 2009 1:31 PM

Answers

  • Hi,

    Yes the QoE server is able to reach the internet. Unfortunately disabling CRL didn't help.

    In the end the only way I could get the QoE to successfully accept reports was to replace the certificate on the QoE server with one from Digicert. Once this was done, the above error went away and QoE started aceepting reports. 

    regards
    John
    • Marked as answer by johnbir Tuesday, March 3, 2009 9:56 AM
    Tuesday, March 3, 2009 9:56 AM

All replies

  • John,
    Can the QoE server reach the Internet? You may uncheck the CRL checking option on the QoE server to see if that helps.

    Jim Raymond - DynTek
    Thursday, February 26, 2009 6:10 AM
  • Hi,

    Yes the QoE server is able to reach the internet. Unfortunately disabling CRL didn't help.

    In the end the only way I could get the QoE to successfully accept reports was to replace the certificate on the QoE server with one from Digicert. Once this was done, the above error went away and QoE started aceepting reports. 

    regards
    John
    • Marked as answer by johnbir Tuesday, March 3, 2009 9:56 AM
    Tuesday, March 3, 2009 9:56 AM