Teams Direct Routing - TLS Cert Renewed, but MS still shows it expired

Copper Contributor

We have Direct Routing with an AudioCodes SBC.   It's been working fine for 18 months. Recently, the TLS certificate on the SBC that is used for Teams calling expired.  We renewed it on the SBC and it's status shows as "OK" with an expiration date 1 year from now.  However, on the Health Dashboard for Direct Routing on the office.com portal it's still showing the SBC as inactive because the certificate is expired.   Microsoft support said it could be 24-48 hours before it "registers" the new certificate.   I'm questioning the accuracy of this and wondering if anyone else has had an experience with an expired SBC certificate.   I have verified that the config on the SBC is correct - nothing has changed since the certificate expired other than a new CSR being generated and a new cert installed (and yes, it's from one of Microsoft's acceptable providers).  I've also verified the root certificates are installed, including the "Baltimore" cert.   Any advice or assistance would be most appreciated.

7 Replies

@emilysam1 

 

Under your SIP Interface for your Teams connection, have you verified which "TLS Context" is being used, and verified that is the TLS Context you deployed the new certificate to?

 

Do you restrict your SBC SIP signalling port to just Microsoft? If not, go to https://www.sslshopper.com/ssl-checker.html and put in the SBC IP address following by :SIPPORT, so if your SIP signalling port is 5067, it'd look like a.b.c.d:5067 where a.b.c.d is the IP address or the name.  Does the SSL Checker return what you're expecting it to be?

@jangliss @emilysam1 

I'm having the same issue.

 

SSL Checker (with port info) is directing to the right IP address of my SBC sip interface towards Teams

@mveerdonk 

 

Did it return the correct certificate? It's more than just ensuring it goes to the right IP address.

@emilysam1 

hello how was solve your issue?

We have the same after certificate renewal on SBC side.

Did you reset completly the sip trunk on both side?

How can you revocate manually the certificate on MS side?

regards

Julien

When you renew the SBC certificate, you must remove the TLS connections that were established from the SBC to Microsoft with the old certificate and re-establish them with the new certificate. Doing so will ensure that certificate expiration warnings aren't triggered in the Microsoft Teams admin center. To remove the old TLS connections, restart the SBC during a time frame that has low traffic such as a maintenance window
is there a way to re-establish the TLS Connection from Teams side? I have here the same Problem. Everything was working well for a couple of months. Now we had to renew the SSL certifcate on the SBC and customer side. The SBC itself were restarted a couple of times now, but it seems a new TLS connection were never established.
The SBC still tells me, that the certificate is invalid.