Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

TLS Certificate issues with web self-admin 2

Status
Not open for further replies.

Qzwsa

Technical User
Sep 26, 2011
309
CA
I have a customer that uses the web-based admin for users to change their forwarding and twinning via VPN when working remotely. When I set it up a month or two ago, Chrome didn't like the certificate but Edge still worked.

Now, after I assume MS pushed an update through on Edge, my suggestion to use Edge is no longer valid. I've enabled older versions TLS in Internet Options on the computer I test with, but still get certificate errors (and it won't let me proceed after the warning). I've tried reloading the page in IE mode - that seems to work.

Is there an easy fix for this that a working-from-home cubical dweller will be able to do on their own, or even better, a setting in security on the IPO that I can change to get this working without the user doing anything at all?

For the record, the system is a 500v2, preferred, at r11.0.4.7

- Qz
 
Hi,

It is getting more and more diffucult to keep using devices without installing a TLS certificate on it.

We are now getting more and more reports of customers who can no longer access the IPO's when there is no CA certificate installed.
Customers with a CA certificate are off course not having these problems. (= customers with Workplace users)

For customers without a CA certificate we are now firstly regenerating the selfsigned certificates including a SAN: IP:xxx.xxx.xxx.xxx. (replace xxx by ipo IP)
That certificate will be installed on the users that want to access the IPO via webmanager.

But also the Avaya / Ascom DECT antennes are getting more difficult to access.


It's 1 thing to add a certificate to 1 of 2 ipo's. But creating a certificate for 30 antennes is a bit more time consuming.
How are you dealing with those?
 
1. Buy a domain (wankydoodle.com or whatever is cheap)
2. create subdomains for each customer (customer1.wankydoodle.com and customer2.wankydoodle.com and so on ...)
3. purchase a wildcard certificate *.wankydoodle.com
4. upload it to all your customers that pay you for your efforts
5. ensure that DNS resolves to the IPO from their internal network and externally to their public IP (Split DNS)

This should work
This would also mean that you have to renew the wildcard cert every year and upload to all your customers to keep them up and running and the once that leave you would have to find their own solution then.

Joe
FHandw, ACSS, ACIS

"Dew knot truss yore Spell Cheque
 
Hi Westi,

That is basically the way work for our IPO datacenter solutions.

But the problem is the DECT antennas, we can't create a domainname for each dect antenna and put a wildcard certificate in the antenna's...
To reach each antenna via it's domainname would be strange and it will have a high workload on configuring everything.
records for antenna1.domain.com,antenna2.domain.com, antenna3 .domain.com ...
configure each antenne with the domainname ..

That would alo mean we'd have to renew the cert's each year on each antenne.
A selfsigned cert would last longer.

(i'm not a certificate specialist so not really up to speed on all possible solutions)

so any suggestion to make this more easy?
 
Certs requirements have changed and Apple started to refuse the self signed ones that are valid for longer than a year + a few days
I think Google and therefore Android has followed suit.

I missed your Antenna dilemma almost entirely.

You could try Edge in IE compatibility mode as I have a few customers that need to use that to access their video surveillance.

Joe
FHandw, ACSS, ACIS

"Dew knot truss yore Spell Cheque
 
I found a tip online. When you get this page (which is what I've been getting) you can click anywhere on the page and type in "[tt]thisisunsafe[/tt]" and it will load the page.

Screenshot_2023-04-26_100859_tys02i.png
 
Qzwsa
that is a great tip, have some pink

Joe
FHandw, ACSS, ACIS

"Dew knot truss yore Spell Cheque
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top