locked
Certificate hostname mistmatch (but it matches?) RRS feed

  • Question

  •  

    Deploying Edge server in existing OCS 07 environment (EE).  Internal environment works great, Edge Server validation all passes (no warnings or errors...all DNS, user, etc. data passes)

     

    Connecting from client (not in domain, on external network from internet) gives me errors:

     

    If I manually configure my server for sipexternal.domain.com / TLS, the error in communicator is:

    "There was a problem verifying the certificate from the server. Please contact your system administrator"

    Event log errors are:

    "Communicator failed to connect to server sipexternal.domain.com (#.#.#.#) on port 79 due to error 10061.  The server is not listening on the port in question, the service is not running on this machine, the service is not responsive, or network connectivity doesn't exist."

    and:

    "Communicator could not connect securely to server sipexternal.domain.com because the certificate presented by the server did not match the expected hostname (sipexternal.domain.com)"

    and there are two errors with it trying to connect through to the internal SIP domain (not sure where those are coming from, but guessing it's because I'm allowing DNS through my internal firewall for troubleshooting this, so it's finding srv records for my internal domain.  These go away if I disable DNS through my internal firewall (though the errors above still persist)

     

     

     

    If I autoconfigure communicator (which should be identical...nslookup verifies _sipfederationtls._tcp.domain.com resolves to sipexternal.domain.com), the error in communicator is:

    "There was a problem verifying the certificate from the server. Please contact your system administrator"

    Event log errors are:

    "Communicator could not connect securely to server sipexternal.domain.com because the certificate presented by the server did not match the expected hostname (sipexternal.domain.com)"

     

    Quick background on my certs: My certs are from an internal CA (this is just being used for testing, once it works, we'll deploy trusted certs).  The specific cert in question has the SN or sipexternal.domain.com, which matches the SRV records and manually configured external servername.  As part of troubleshooting, I also added SAN's for sip.domain.com.

     

    Any ideas?

    Friday, September 21, 2007 11:25 PM

All replies

  • Hello, how did you resolved your issue? thx

    Thursday, January 17, 2008 12:06 PM
  • The first error shows the connection attempt was made over port 79, which is not the default TLS port.  Was that changed specifically in the OCS configuration or does the manual client config have it set?

     

    Using manual configuration the values typically are internal.domain.com:5061 and external.domain.com:443.

     

    Thursday, January 17, 2008 1:14 PM
    Moderator