Skype for Business Server Access Edge not starting after 15th Jan? Quovadis.........

-

 An interesting start to the week.

On the 15th of January 2021, Quovadis/Digicert revoked an intermediate certificate without any apparent notification.

As 'luck' would have it some patching happened shortly after and the server rebooted. The services would not come up.

After some checking of new software deployments (security/management), validating patching, restoring VMs from backup it was discovered that changing the system clock back to the 14th Jan let the services start. With such a specific cut-off date/time and the service event logs (not always pointing in the right direction!) it pointed a finger at certificate revokcation. We knew the public certs weren't due to expire for 6 months and the dates on the intermediate and root cert were all fine.

Some google-fu found that we were not alone

AusCERT statement “QuoVadis Global SSL ICA G3” issue impacting multiple customers

QuoVadis Intermediate Revoke Update | Jisc community


Even though we double-checked the certificate and even downloaded and re-applied the certificate, the certificate chain supplied was still the original package and didn't include the updated/re-issued intermediate certificate.

Downloading and applying the intermediate certificate itself http://trust.quovadisglobal.com/qvsslg3.crt fixed the issue immediately.

Also remember you may need to patch your gateways too if you have public certs (ie Teams Direct Routing).


The issue only appeared once the services were restarted so it may continue to raise its head for a wee while.

Comments

Post a Comment

Popular posts from this blog

Skype Online and MCOValidationError

-
These user counts are incorporated into the Lync ReportHTML  from the previous post: https://jc-nts.blogspot.com/2019/05/powershell-module-reporthtml.html While doing some housekeeping for a client, I noticed that the Interpreted User Type attribute in SfBO threw up some HybridOnpremSfBUserWithMCOValidationError accounts. The full list included: DirSyncSfBUser: On-premises users which have been assigned a SfB online licence DirSyncTeamsUser: On-premises users which have been assigned a Teams licence HybridOnlineSfBUser: A user created on-premises and migrated to SfBO HybridOnpremSfBUser: A user created on-premises and enabled on-premises for Lync/Skype HybridOnpremSfBUserWithDeletedLicenses: An on-premises user has a deleted office 365 SfB licence HybridOnpremSfBUserWithMCOValidationError: An on-premises user with a domain that is not valid in your synchronised tenant PureOnlineSfBUser: Online users which have been assigned a SfB licence PureOnlineTeamsUser: Online users
Read more

SCCM 2012 R2 - Offline servicing error

-
While updating images in SCCM 2012R2 to apply recent updates to a windows 8 image, I hit the following errors: Failed to install update with error code -2146498513 InstallUpdate returned code 0x800f082f Failed to install update with ID 17242935 on the image. ErrorCode = 2095 To fix: Mount the image (.wim) file using dism: dism /mount-wim /wimfile:d:\sources\os\captures\w8x86.wim /index:2 /mountdir:c:\mount Load the registry SOFTWARE key reg load HKLM\MyKey c:\mount\windows\system32\config\software Find the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Compnent Based Servicing\SessionsPending Edit the DWORD Exclusives to value 0 (in my case it was 3) unload the registry reg unload HKLM\MyKey commit the changes to the wim dism /unmount-wim /mountdir:c:\mount /commit In SCCM, schedule the updates. Key an eye on the OfflineServicingMgr log file - you might need to do the same again. Links DISM mounting http://msdn.microsoft.com/en-us/library/ff79481
Read more

Polycom provisioning - and Zoom!

-
Updated June 2019 So I have a little downtime which means I need a little project. On my 'havent setup in the test lab yet' is a polycom provisioning service. So, off to eBay i head for some devices (naturaly) and i'm pleasantly surprised to find some VVX handsets at a very reasonable £30. On a roll, i head off to find some Trio conference devices. A step up from the CX3000 they replaced, these are nice pieces of kit. I just missed out on a trio 8800 and visual+ bundle, so with VVX501 in hand i setup a provisioning service. FTP server - filezilla - check exceptions in the firewall - allow the filezilla app through - check DHCP options (160 AND 161 for newer firmware) - check Create a config file for the MAC address (i only have a single device, after all) Remembering to disable updates from the Lync/Skype/Office365 service - I dont want a reboot loop as it updated and downgrades repeatedly. <?xml version="1.0" standalone="yes"?> <
Read more