locked
PIC: AOL certificate expired? RRS feed

  • Question

  • I'm seeing errors on my access edge servers since this morning regarding my federation with AOL (it has been working fine previously):

     

    Over the past 0 minutes Office Communications Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80090325 (The certificate chain was issued by an authority that is not trusted.) while trying to connect to the host "sip.oscar.aol.com".

    Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.

     

    In the past 0 minutes the server received 1 invalid incoming certificates. The last one was from host 64.12.162.248.

    Cause: This can happen if a remote server presents an invalid certificate due to an incorrect configuration or an attacker.

     

    Has anyone else seen this problem? My other federated peers are working fine...

     

    Cheers,

     

    Alex

    Tuesday, December 2, 2008 11:59 AM

Answers

All replies

  •  

    Yup - all my AIM clients are offline

     

    AOL's current certificate that expires on 12/5/08 was issued by Equifax - which you have the root certificate chain for.

     

    Their new certificate they issued on 11/25/08 and apparently cutover to around 4am EST this morning is issued by their own CA "AOL Member CA" - which our edge servers don't have as a trusted certificate chain.

     

    I'm waiting for confirmation from premier support to load the new certificate chain for the AOL Member CAs (just want to make sure AOL wasn't hacked -big grin-)

     

    Tuesday, December 2, 2008 2:54 PM
  • I guess that is the workaround, but it does seem a bit cheeky of AOL to expect us to do this. After all, I don't suppose they'd install my internal CA root on their boxes Smile

    Tuesday, December 2, 2008 3:09 PM
  •  

    Does anyone even know where to go to get this new CA to install? I am having the same issue with AOL federation, started early this morning.
    Tuesday, December 2, 2008 4:13 PM
  •  

    Scott just posted the instructions for the adding AOL new certificate chain on his blog at http://blogs.msdn.com/scottos/archive/2008/12/02/office-communicator-clients-cannot-communicate-with-contacts-homed-on-aol.aspx

     

    Communications will resume almost immediately for your AIM users.   Don't forget - to get the presence information to appear right - it's best to have your users log off and back into OC to get the immedate refresh of presence information.

    Tuesday, December 2, 2008 4:16 PM
  • https://pki-info.aol.com/AOLMSPKI/index.html I think. [Ignore that, see Chad S' post]

     

    Interestingly AOL Root CA 1 is listed as a trusted root CA in IE7 on Vista, but not on IE7 on my Server 2003 boxes.

    Tuesday, December 2, 2008 4:18 PM
  • Ah, excellent stuff. Done this (just needed to do it on my access edge I think?) and all is working fine.

    Tuesday, December 2, 2008 4:21 PM
  • Yup - only need to do it on your access edge.

    Tuesday, December 2, 2008 4:22 PM
  • Thank you, this fixed my AOL issue.

     

     

    Tuesday, December 2, 2008 5:06 PM
  • Yes, thanks.  Much appreciated!

     

    Wednesday, December 3, 2008 2:44 PM