Cloud Connector Edition (CCE) is going to be around for a while yet, until it dies along with Skype for Business Online (current date 31st July 2021).
Recently I’ve had to renew quite a few CCE Edge certificates, and there’s likely to be more, so I’ve written this for my reference. Hopefully it’s of use to you too.
New certificate – you need to:
- generate a CSR
- order the certificate
- import the certificate when issued
- export as a .pfx file, including the chain, and make a note of the password
Life will be made easier if you know the Edge Server External Certificate Password. If you do set it as the password when exporting the certificate.
I typically work with CCE deployments based on Sonus/Ribbon CloudLink, during the initial deployment this is where you set the password:
Process for ‘I know the password’…
This is the process to replace the certificate if you know the Edge Server External Certificate Password. If you don’t, jump to ‘I don’t know the password’.
Enter maintenance mode:
Enter-CcUpdate
The EnterUpdate log is in C:\UX\CCE\CcAppliance\Log\WIN_SR504MLTG9U_EnterUpdate+00_00_2020_02_20_13_23_31.log.
Task:EnterUpdate starts at 2020-02-20T13:23:32.0220259+00:00
The current scripts version is 2.1.0.
The version of current running instance is 2.1.0.
Trying to enter manual maintenance mode.
Successfully enter manual maintenance mode.
Started Draining RTCSRV service on Edge server and RTCMEDSRV service on Mediation server...
Drainning services finished. 0 second(s) passed.
Drainning services timeout. Forceing services to stop.
Drainning services timeout. Services were stopped successfully.
Drainning services finished. 0 second(s) passed.
Finished draining RTCSRV service on Edge server.
Drainning services finished. 0 second(s) passed.
Finished draining RTCMEDSRV service on Mediation server.
The preparation for installing updates finished.
Task:EnterUpdate ends at 2020-02-20T13:24:21.7258808+00:00
Replace the current Edge Server External Certificate with the new one:
Set-CcExternalCertificateFilePath -Target EdgeServer -Path C:\temp\NewExternalEdgeCert.pfx -Import
The SetExternalCertificateFilePath log is in C:\UX\CCE\CcAppliance\Log\WIN_SR504MLTG9U_SetExternalCertificateFilePath+00_00_2020_02_20_13_24_50.log.
Task:SetExternalCertificateFilePath starts at 2020-02-20T13:24:50.6811135+00:00
The current scripts version is 2.1.0.
The version of current running instance is 2.1.0.
Update ExternalCertificateFilePath with value C:\temp\NewExternalEdgeCert.pfx in configuration.
Enabling credential delegation for NTLM on host machine.
Creating key on host machine: hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly
Certificate "CCE_2020" added to store.
CertUtil: -importPFX command completed successfully.
The following certificate was assigned for the type "AccessEdgeExternal":
AccessEdgeExternal: [removed] SFBEXTEDGE01.x500.co.uk 03/10/2021 CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US [removed]
The following certificate was assigned for the type "DataEdgeExternal":
DataEdgeExternal: [removed] SFBEXTEDGE01.x500.co.uk 03/10/2021 CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US [removed]
The following certificate was assigned for the type "AudioVideoAuthentication":
AudioVideoAuthentication: [removed] SFBEXTEDGE01.x500.co.uk 03/10/2021 CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US [removed]
Disabling credential delegation for NTLM on host machine.
Removing key on host machine: hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly.
Task:SetExternalCertificateFilePath ends at 2020-02-20T13:25:28.3374535+00:00
Exit maintenance mode:
Exit-CCUpdate
The ExitUpdate log is in C:\UX\CCE\CcAppliance\Log\WIN_SR504MLTG9U_ExitUpdate+00_00_2020_02_20_13_25_37.log.
Task:ExitUpdate starts at 2020-02-20T13:25:37.4471702+00:00
The current scripts version is 2.1.0.
The version of current running instance is 2.1.0.
Start services on server 192.168.0.155 with user sfb-ccedomain.local\Administrator
Service DNS is in auto start mode.
Service DNS is Running, skip starting it.
Service ADWS is in auto start mode.
Service ADWS is Running, skip starting it.
Start services on server 192.168.0.156 with user Administrator
Service MSSQL$RTC is in auto start mode.
Service MSSQL$RTC is Running, skip starting it.
Service MSSQL$RTCLOCAL is in auto start mode.
Service MSSQL$RTCLOCAL is Running, skip starting it.
Service MASTER is in auto start mode.
Service MASTER is Running, skip starting it.
Service REPLICA is in auto start mode.
Service REPLICA is Running, skip starting it.
Service FTA is in auto start mode.
Service FTA is Running, skip starting it.
Start services on server 192.168.0.158 with user Administrator
Service MSSQL$RTCLOCAL is in auto start mode.
Service MSSQL$RTCLOCAL is Running, skip starting it.
Service REPLICA is in auto start mode.
Service REPLICA is Running, skip starting it.
Set service RTCSRV startup type back to Automatic.
Begin to start service RTCSRV
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start...
Finish to start service RTCSRV
Service RTCMRAUTH is in auto start mode.
Service RTCMRAUTH is Running, skip starting it.
Service RTCMEDIARELAY is in auto start mode.
Service RTCMEDIARELAY is Running, skip starting it.
Start services on server 192.168.0.157 with user Administrator
Service MSSQL$RTCLOCAL is in auto start mode.
Service MSSQL$RTCLOCAL is Running, skip starting it.
Service REPLICA is in auto start mode.
Service REPLICA is Running, skip starting it.
Set service RTCMEDSRV startup type back to Automatic.
Begin to start service RTCMEDSRV
WARNING: Waiting for service 'Skype for Business Server Mediation (RTCMEDSRV)' to start...
WARNING: Waiting for service 'Skype for Business Server Mediation (RTCMEDSRV)' to start...
Finish to start service RTCMEDSRV
The post process finished.
Trying to exit current manual maintenance mode.
Successfully exit manual maintenance mode.
Task:ExitUpdate ends at 2020-02-20T13:26:14.8379015+00:00
If the above is successful, you’re done.
Process for ‘I don’t know the password’…
If you’re here, you’ve likely encountered the following error:
Set-CcExternalCertificateFilePath -Target EdgeServer -Path C:\Temp\NewExternalEdgeCert.pfx -Import The SetExternalCertificateFilePath log is in C:\UX\CCE\CcAppliance\Log\WIN_12C4GANR3J9_SetExternalCertificateFilePath+00_00_2020_02_20_09_24_12.log. Task:SetExternalCertificateFilePath starts at 2020-02-20T09:24:12.2876614+00:00 The current scripts version is 2.1.0. The version of current running instance is 2.1.0. Update ExternalCertificateFilePath with value C:\TempNewExternalEdgeCert.pfx in configuration. SetCcExternalCertificateFilePathInternal : Password for C:\TempNewExternalEdgeCert.pfx is not correct. Run 'Register-CcAppliance -Local' to input the right password then run this cmdlet to import the certificate again.
Enter maintenance mode:
Enter-CcUpdate
The EnterUpdate log is in C:\UX\CCE\CcAppliance\Log\WIN_12C4GANR3J9_EnterUpdate+00_00_2020_02_20_09_20_03.log. Task:EnterUpdate starts at 2020-02-20T09:20:03.8417672+00:00 The current scripts version is 2.1.0. The version of current running instance is 2.1.0. Trying to enter manual maintenance mode. Successfully enter manual maintenance mode. Started Draining RTCSRV service on Edge server and RTCMEDSRV service on Mediation server... Drainning services finished. 0 second(s) passed. Drainning services timeout. Forceing services to stop. Drainning services timeout. Services were stopped successfully. Drainning services finished. 0 second(s) passed. Finished draining RTCSRV service on Edge server. Drainning services finished. 0 second(s) passed. Finished draining RTCMEDSRV service on Mediation server. The preparation for installing updates finished. Task:EnterUpdate ends at 2020-02-20T09:21:22.0471984+00:00
Change the Edge Server External Certificate Password:
Make sure the new password matches your certificate export!
Register-CcAppliance -Local
The RegisterInstance log is in C:\UX\CCE\CcAppliance\Log\WIN_12C4GANR3J9_RegisterInstance+00_00_2020_02_20_09_24_36.log. Task:RegisterInstance starts at 2020-02-20T09:24:36.4308088+00:00 The current scripts version is 2.1.0. The version of current running instance is 2.1.0. Validate configuration file C:\UX\CCE\CcAppliance\CloudConnector.ini successfully. Enter ExternalCert's password: ***** Confirm ExternalCert's password: ***** Started Initializing the account for CceService... User: CceService exists. User: CceService is already a member of the local Administrators group. User: CceService is already a member of the Hyper-V Administrators group.. Initialize CceService account finished. Restarting CceManagementService... WARNING: Waiting for service 'CCE Management Service (CceManagementService)' to stop... WARNING: Waiting for service 'CCE Management Service (CceManagementService)' to stop... WARNING: Waiting for service 'CCE Management Service (CceManagementService)' to stop... WARNING: Waiting for service 'CCE Management Service (CceManagementService)' to stop... CceManagementService has restarted. Task:RegisterInstance ends at 2020-02-20T09:28:16.5222663+00:00
It’s likely the above will cause the CCE Management Service to restart, and therefore exit maintenance mode.
Enter maintenance mode again:
Enter-CcUpdate
The EnterUpdate log is in C:\UX\CCE\CcAppliance\Log\WIN_12C4GANR3J9_EnterUpdate+00_00_2020_02_20_09_28_37.log. Task:EnterUpdate starts at 2020-02-20T09:28:37.9140454+00:00 The current scripts version is 2.1.0. The version of current running instance is 2.1.0. Trying to enter manual maintenance mode. Successfully enter manual maintenance mode. Started Draining RTCSRV service on Edge server and RTCMEDSRV service on Mediation server... Drainning services finished. 0 second(s) passed. Drainning services finished. 0 second(s) passed. Drainning services finished. 0 second(s) passed. Finished draining RTCSRV service on Edge server. Drainning services finished. 0 second(s) passed. Finished draining RTCMEDSRV service on Mediation server. The preparation for installing updates finished. Task:EnterUpdate ends at 2020-02-20T09:29:05.8047206+00:00
Replace the current Edge Server External Certificate with the new one:
Set-CcExternalCertificateFilePath -Target EdgeServer -Path C:\temp\NewExternalEdgeCert.pfx -Import
The SetExternalCertificateFilePath log is in C:\UX\CCE\CcAppliance\Log\WIN_12C4GANR3J9_SetExternalCertificateFilePath+00_00_2020_02_20_09_29_19.log. Task:SetExternalCertificateFilePath starts at 2020-02-20T09:29:19.8207350+00:00 The current scripts version is 2.1.0. The version of current running instance is 2.1.0. Update ExternalCertificateFilePath with value C:\Temp\NewExternalEdgeCert.pfx in configuration. Enabling credential delegation for NTLM on host machine. Creating key on host machine: hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly Certificate "CCE_2020" added to store. CertUtil: -importPFX command completed successfully. The following certificate was assigned for the type "AccessEdgeExternal": AccessEdgeExternal: [removed] SFBEXTEDGE01.x500.co.uk 03/10/2021 CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US [removed] The following certificate was assigned for the type "DataEdgeExternal": DataEdgeExternal: [removed] SFBEXTEDGE01.x500.co.uk 03/10/2021 CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US [removed] The following certificate was assigned for the type "AudioVideoAuthentication": AudioVideoAuthentication: [removed] SFBEXTEDGE01.x500.co.uk 03/10/2021 CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US [removed] Disabling credential delegation for NTLM on host machine. Removing key on host machine: hklm:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly. Task:SetExternalCertificateFilePath ends at 2020-02-20T09:30:01.2900088+00:00
Exit maintenance mode:
Exit-CCUpdate
The ExitUpdate log is in C:\UX\CCE\CcAppliance\Log\WIN_12C4GANR3J9_ExitUpdate+00_00_2020_02_20_09_30_20.log. Task:ExitUpdate starts at 2020-02-20T09:30:20.2605115+00:00 The current scripts version is 2.1.0. The version of current running instance is 2.1.0. Start services on server 192.168.0.166 with user sfb-ccedomain.local\Administrator Service DNS is in auto start mode. Service DNS is Running, skip starting it. Service ADWS is in auto start mode. Service ADWS is Running, skip starting it. Start services on server 192.168.0.167 with user Administrator Service MSSQL$RTC is in auto start mode. Service MSSQL$RTC is Running, skip starting it. Service MSSQL$RTCLOCAL is in auto start mode. Service MSSQL$RTCLOCAL is Running, skip starting it. Service MASTER is in auto start mode. Service MASTER is Running, skip starting it. Service REPLICA is in auto start mode. Service REPLICA is Running, skip starting it. Service FTA is in auto start mode. Service FTA is Running, skip starting it. Start services on server 192.168.0.169 with user Administrator Service MSSQL$RTCLOCAL is in auto start mode. Service MSSQL$RTCLOCAL is Running, skip starting it. Service REPLICA is in auto start mode. Service REPLICA is Running, skip starting it. Set service RTCSRV startup type back to Automatic. Begin to start service RTCSRV WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start... WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start... WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start... WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start... WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start... WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start... WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start... WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start... WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start... WARNING: Waiting for service 'Skype for Business Server Access Edge (RTCSRV)' to start... Finish to start service RTCSRV Service RTCMRAUTH is in auto start mode. Service RTCMRAUTH is Running, skip starting it. Service RTCMEDIARELAY is in auto start mode. Service RTCMEDIARELAY is Running, skip starting it. Start services on server 192.168.0.168 with user Administrator Service MSSQL$RTCLOCAL is in auto start mode. Service MSSQL$RTCLOCAL is Running, skip starting it. Service REPLICA is in auto start mode. Service REPLICA is Running, skip starting it. Set service RTCMEDSRV startup type back to Automatic. Begin to start service RTCMEDSRV WARNING: Waiting for service 'Skype for Business Server Mediation (RTCMEDSRV)' to start... WARNING: Waiting for service 'Skype for Business Server Mediation (RTCMEDSRV)' to start... Finish to start service RTCMEDSRV The post process finished. Trying to exit current manual maintenance mode. Successfully exit manual maintenance mode. Task:ExitUpdate ends at 2020-02-20T09:31:05.5106079+00:00
Hi Steve, How do we generate a CSR from a working CCE server ?
LikeLike
Hi, personally I generate the CSR from my own machine, on Windows using the Certificates MMC, or you could use the DigiCert utility. Ensure the CN is the CCE Edge External Hostname, and the certificate includes an additional SAN name for sip.fqdn. When the CA issues the certificate, import in onto your machine, and then export in PKCS #12 format, and import into CCE.
LikeLike
Hi Steve,
How do we generate a CSR from working CCE server ?
LikeLike