CCE: Renewing Edge Certs

Cloud Connector Edition (CCE) is going to be around for a while yet, until it dies along with Skype for Business Online (current date 31st July 2021).

Recently I’ve had to renew quite a few CCE Edge certificates, and there’s likely to be more, so I’ve written this for my reference.  Hopefully it’s of use to you too.

New certificate – you need to:

  • generate a CSR
  • order the certificate
  • import the certificate when issued
  • export as a .pfx file, including the chain, and make a note of the password

Life will be made easier if you know the Edge Server External Certificate Password.  If you do set it as the password when exporting the certificate.

I typically work with CCE deployments based on Sonus/Ribbon CloudLink, during the initial deployment this is where you set the password:

CCECertUser

Process for ‘I know the password’…

This is the process to replace the certificate if you know the Edge Server External Certificate Password.  If you don’t, jump to ‘I don’t know the password’.

Enter maintenance mode:

Enter-CcUpdate
The EnterUpdate log is in C:\UX\CCE\CcAppliance\Log\WIN_SR504MLTG9U_EnterUpdate+00_00_2020_02_20_13_23_31.log.
Task:EnterUpdate starts at 2020-02-20T13:23:32.0220259+00:00
The current scripts version is 2.1.0.
The version of current running instance is 2.1.0.
Trying to enter manual maintenance mode.
Successfully enter manual maintenance mode.
Started Draining RTCSRV service on Edge server and RTCMEDSRV service on Mediation server...
Drainning services finished. 0 second(s) passed.
Drainning services timeout. Forceing services to stop.
Drainning services timeout. Services were stopped successfully.
Drainning services finished. 0 second(s) passed.
Finished draining RTCSRV service on Edge server.
Drainning services finished. 0 second(s) passed.
Finished draining RTCMEDSRV service on Mediation server.
The preparation for installing updates finished.
Task:EnterUpdate ends at 2020-02-20T13:24:21.7258808+00:00

Replace the current Edge Server External Certificate with the new one:

Set-CcExternalCertificateFilePath -Target EdgeServer -Path C:\temp\NewExternalEdgeCert.pfx -Import
The SetExternalCertificateFilePath log is in C:\UX\CCE\CcAppliance\Log\WIN_SR504MLTG9U_SetExternalCertificateFilePath+00_00_2020_02_20_13_24_50.log.
Task:SetExternalCertificateFilePath starts at 2020-02-20T13:24:50.6811135+00:00
The current scripts version is 2.1.0.
The version of current running instance is 2.1.0.
Update ExternalCertificateFilePath with value C:\temp\NewExternalEdgeCert.pfx in configuration.
Enabling credential delegation for NTLM on host machine.
Creating key on host machine: hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly
Certificate "CCE_2020" added to store.

CertUtil: -importPFX command completed successfully.
The following certificate was assigned for the type "AccessEdgeExternal":
AccessEdgeExternal: [removed] SFBEXTEDGE01.x500.co.uk 03/10/2021 CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US [removed]
The following certificate was assigned for the type "DataEdgeExternal":
DataEdgeExternal: [removed] SFBEXTEDGE01.x500.co.uk 03/10/2021 CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US [removed]
The following certificate was assigned for the type "AudioVideoAuthentication":
AudioVideoAuthentication: [removed] SFBEXTEDGE01.x500.co.uk 03/10/2021 CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US [removed]
Disabling credential delegation for NTLM on host machine.
Removing key on host machine: hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly.
Task:SetExternalCertificateFilePath ends at 2020-02-20T13:25:28.3374535+00:00

Exit maintenance mode:

Exit-CCUpdate
The ExitUpdate log is in C:\UX\CCE\CcAppliance\Log\WIN_SR504MLTG9U_ExitUpdate+00_00_2020_02_20_13_25_37.log.
Task:ExitUpdate starts at 2020-02-20T13:25:37.4471702+00:00
The current scripts version is 2.1.0.
The version of current running instance is 2.1.0.
Start services on server 192.168.0.155 with user sfb-ccedomain.local\Administrator
Service DNS is in auto start mode.
Service DNS is Running, skip starting it.
Service ADWS is in auto start mode.
Service ADWS is Running, skip starting it.
Start services on server 192.168.0.156 with user Administrator
Service MSSQL$RTC is in auto start mode.
Service MSSQL$RTC is Running, skip starting it.
Service MSSQL$RTCLOCAL is in auto start mode.
Service MSSQL$RTCLOCAL is Running, skip starting it.
Service MASTER is in auto start mode.
Service MASTER is Running, skip starting it.
Service REPLICA is in auto start mode.
Service REPLICA is Running, skip starting it.
Service FTA is in auto start mode.
Service FTA is Running, skip starting it.
Start services on server 192.168.0.158 with user Administrator
Service MSSQL$RTCLOCAL is in auto start mode.
Service MSSQL$RTCLOCAL is Running, skip starting it.
Service REPLICA is in auto start mode.
Service REPLICA is Running, skip starting it.
Set service RTCSRV startup type back to Automatic.
Begin to start service RTCSRV
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
Finish to start service RTCSRV
Service RTCMRAUTH is in auto start mode.
Service RTCMRAUTH is Running, skip starting it.
Service RTCMEDIARELAY is in auto start mode.
Service RTCMEDIARELAY is Running, skip starting it.
Start services on server 192.168.0.157 with user Administrator
Service MSSQL$RTCLOCAL is in auto start mode.
Service MSSQL$RTCLOCAL is Running, skip starting it.
Service REPLICA is in auto start mode.
Service REPLICA is Running, skip starting it.
Set service RTCMEDSRV startup type back to Automatic.
Begin to start service RTCMEDSRV
WARNING: Waiting for service 'Skype for Business Server Mediation (RTCMEDSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Mediation (RTCMEDSRV)' to start...
Finish to start service RTCMEDSRV
The post process finished.
Trying to exit current manual maintenance mode.
Successfully exit manual maintenance mode.
Task:ExitUpdate ends at 2020-02-20T13:26:14.8379015+00:00

If the above is successful, you’re done.

Process for ‘I don’t know the password’…

If you’re here, you’ve likely encountered the following error:

Set-CcExternalCertificateFilePath -Target EdgeServer -Path C:\Temp\NewExternalEdgeCert.pfx -Import
The SetExternalCertificateFilePath log is in C:\UX\CCE\CcAppliance\Log\WIN_12C4GANR3J9_SetExternalCertificateFilePath+00_00_2020_02_20_09_24_12.log.
Task:SetExternalCertificateFilePath starts at 2020-02-20T09:24:12.2876614+00:00
The current scripts version is 2.1.0.
The version of current running instance is 2.1.0.
Update ExternalCertificateFilePath with value C:\TempNewExternalEdgeCert.pfx in configuration.
SetCcExternalCertificateFilePathInternal : Password for C:\TempNewExternalEdgeCert.pfx is not correct. Run
'Register-CcAppliance -Local' to input the right password then run this cmdlet to import the certificate again.

CCE6

Enter maintenance mode:

Enter-CcUpdate
The EnterUpdate log is in C:\UX\CCE\CcAppliance\Log\WIN_12C4GANR3J9_EnterUpdate+00_00_2020_02_20_09_20_03.log.
Task:EnterUpdate starts at 2020-02-20T09:20:03.8417672+00:00
The current scripts version is 2.1.0.
The version of current running instance is 2.1.0.
Trying to enter manual maintenance mode.
Successfully enter manual maintenance mode.
Started Draining RTCSRV service on Edge server and RTCMEDSRV service on Mediation server...
Drainning services finished. 0 second(s) passed.
Drainning services timeout. Forceing services to stop.
Drainning services timeout. Services were stopped successfully.
Drainning services finished. 0 second(s) passed.
Finished draining RTCSRV service on Edge server.
Drainning services finished. 0 second(s) passed.
Finished draining RTCMEDSRV service on Mediation server.
The preparation for installing updates finished.
Task:EnterUpdate ends at 2020-02-20T09:21:22.0471984+00:00

Change the Edge Server External Certificate Password:

Make sure the new password matches your certificate export!

Register-CcAppliance -Local
The RegisterInstance log is in C:\UX\CCE\CcAppliance\Log\WIN_12C4GANR3J9_RegisterInstance+00_00_2020_02_20_09_24_36.log.
Task:RegisterInstance starts at 2020-02-20T09:24:36.4308088+00:00
The current scripts version is 2.1.0.
The version of current running instance is 2.1.0.
Validate configuration file C:\UX\CCE\CcAppliance\CloudConnector.ini successfully.
Enter ExternalCert's password: *****
Confirm ExternalCert's password: *****
Started Initializing the account for CceService...
User: CceService exists.
User: CceService is already a member of the local Administrators group.
User: CceService is already a member of the Hyper-V Administrators group..
Initialize CceService account finished.
Restarting CceManagementService...
WARNING: Waiting for service 'CCE Management Service (CceManagementService)' to stop...
WARNING: Waiting for service 'CCE Management Service (CceManagementService)' to stop...
WARNING: Waiting for service 'CCE Management Service (CceManagementService)' to stop...
WARNING: Waiting for service 'CCE Management Service (CceManagementService)' to stop...
CceManagementService has restarted.
Task:RegisterInstance ends at 2020-02-20T09:28:16.5222663+00:00

It’s likely the above will cause the CCE Management Service to restart, and therefore exit maintenance mode.

Enter maintenance mode again:

Enter-CcUpdate
The EnterUpdate log is in C:\UX\CCE\CcAppliance\Log\WIN_12C4GANR3J9_EnterUpdate+00_00_2020_02_20_09_28_37.log.
Task:EnterUpdate starts at 2020-02-20T09:28:37.9140454+00:00
The current scripts version is 2.1.0.
The version of current running instance is 2.1.0.
Trying to enter manual maintenance mode.
Successfully enter manual maintenance mode.
Started Draining RTCSRV service on Edge server and RTCMEDSRV service on Mediation server...
Drainning services finished. 0 second(s) passed.
Drainning services finished. 0 second(s) passed.
Drainning services finished. 0 second(s) passed.
Finished draining RTCSRV service on Edge server.
Drainning services finished. 0 second(s) passed.
Finished draining RTCMEDSRV service on Mediation server.
The preparation for installing updates finished.
Task:EnterUpdate ends at 2020-02-20T09:29:05.8047206+00:00

Replace the current Edge Server External Certificate with the new one:

Set-CcExternalCertificateFilePath -Target EdgeServer -Path C:\temp\NewExternalEdgeCert.pfx -Import
The SetExternalCertificateFilePath log is in C:\UX\CCE\CcAppliance\Log\WIN_12C4GANR3J9_SetExternalCertificateFilePath+00_00_2020_02_20_09_29_19.log.
Task:SetExternalCertificateFilePath starts at 2020-02-20T09:29:19.8207350+00:00
The current scripts version is 2.1.0.
The version of current running instance is 2.1.0.
Update ExternalCertificateFilePath with value C:\Temp\NewExternalEdgeCert.pfx in configuration.
Enabling credential delegation for NTLM on host machine.
Creating key on host machine: hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly
Certificate "CCE_2020" added to store.

CertUtil: -importPFX command completed successfully.
The following certificate was assigned for the type "AccessEdgeExternal":
AccessEdgeExternal: [removed] SFBEXTEDGE01.x500.co.uk 03/10/2021 CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US [removed]
The following certificate was assigned for the type "DataEdgeExternal":
DataEdgeExternal: [removed] SFBEXTEDGE01.x500.co.uk 03/10/2021 CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US [removed]
The following certificate was assigned for the type "AudioVideoAuthentication":
AudioVideoAuthentication: [removed] SFBEXTEDGE01.x500.co.uk 03/10/2021 CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US [removed]
Disabling credential delegation for NTLM on host machine.
Removing key on host machine: hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly.
Task:SetExternalCertificateFilePath ends at 2020-02-20T09:30:01.2900088+00:00

Exit maintenance mode:

Exit-CCUpdate
The ExitUpdate log is in C:\UX\CCE\CcAppliance\Log\WIN_12C4GANR3J9_ExitUpdate+00_00_2020_02_20_09_30_20.log.
Task:ExitUpdate starts at 2020-02-20T09:30:20.2605115+00:00
The current scripts version is 2.1.0.
The version of current running instance is 2.1.0.
Start services on server 192.168.0.166 with user sfb-ccedomain.local\Administrator
Service DNS is in auto start mode.
Service DNS is Running, skip starting it.
Service ADWS is in auto start mode.
Service ADWS is Running, skip starting it.
Start services on server 192.168.0.167 with user Administrator
Service MSSQL$RTC is in auto start mode.
Service MSSQL$RTC is Running, skip starting it.
Service MSSQL$RTCLOCAL is in auto start mode.
Service MSSQL$RTCLOCAL is Running, skip starting it.
Service MASTER is in auto start mode.
Service MASTER is Running, skip starting it.
Service REPLICA is in auto start mode.
Service REPLICA is Running, skip starting it.
Service FTA is in auto start mode.
Service FTA is Running, skip starting it.
Start services on server 192.168.0.169 with user Administrator
Service MSSQL$RTCLOCAL is in auto start mode.
Service MSSQL$RTCLOCAL is Running, skip starting it.
Service REPLICA is in auto start mode.
Service REPLICA is Running, skip starting it.
Set service RTCSRV startup type back to Automatic.
Begin to start service RTCSRV
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
Finish to start service RTCSRV
Service RTCMRAUTH is in auto start mode.
Service RTCMRAUTH is Running, skip starting it.
Service RTCMEDIARELAY is in auto start mode.
Service RTCMEDIARELAY is Running, skip starting it.
Start services on server 192.168.0.168 with user Administrator
Service MSSQL$RTCLOCAL is in auto start mode.
Service MSSQL$RTCLOCAL is Running, skip starting it.
Service REPLICA is in auto start mode.
Service REPLICA is Running, skip starting it.
Set service RTCMEDSRV startup type back to Automatic.
Begin to start service RTCMEDSRV
WARNING: Waiting for service 'Skype for Business Server Mediation (RTCMEDSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Mediation (RTCMEDSRV)' to start...
Finish to start service RTCMEDSRV
The post process finished.
Trying to exit current manual maintenance mode.
Successfully exit manual maintenance mode.
Task:ExitUpdate ends at 2020-02-20T09:31:05.5106079+00:00

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s