Teams Direct Routing - TLS Cert Renewed, but MS still shows it expired

%3CLINGO-SUB%20id%3D%22lingo-sub-2033336%22%20slang%3D%22en-US%22%3ETeams%20Direct%20Routing%20-%20TLS%20Cert%20Renewed%2C%20but%20MS%20still%20shows%20it%20expired%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2033336%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20Direct%20Routing%20with%20an%20AudioCodes%20SBC.%26nbsp%3B%20%26nbsp%3BIt's%20been%20working%20fine%20for%2018%20months.%20Recently%2C%20the%20TLS%20certificate%20on%20the%20SBC%20that%20is%20used%20for%20Teams%20calling%20expired.%26nbsp%3B%20We%20renewed%20it%20on%20the%20SBC%20and%20it's%20status%20shows%20as%20%22OK%22%20with%20an%20expiration%20date%201%20year%20from%20now.%26nbsp%3B%20However%2C%20on%20the%20Health%20Dashboard%20for%20Direct%20Routing%20on%20the%20office.com%20portal%20it's%20still%20showing%20the%20SBC%20as%20inactive%20because%20the%20certificate%20is%20expired.%26nbsp%3B%20%26nbsp%3BMicrosoft%20support%20said%20it%20could%20be%2024-48%20hours%20before%20it%20%22registers%22%20the%20new%20certificate.%26nbsp%3B%20%26nbsp%3BI'm%20questioning%20the%20accuracy%20of%20this%20and%20wondering%20if%20anyone%20else%20has%20had%20an%20experience%20with%20an%20expired%20SBC%20certificate.%26nbsp%3B%20%26nbsp%3BI%20have%20verified%20that%20the%20config%20on%20the%20SBC%20is%20correct%20-%20nothing%20has%20changed%20since%20the%20certificate%20expired%20other%20than%20a%20new%20CSR%20being%20generated%20and%20a%20new%20cert%20installed%20(and%20yes%2C%20it's%20from%20one%20of%20Microsoft's%20acceptable%20providers).%26nbsp%3B%20I've%20also%20verified%20the%20root%20certificates%20are%20installed%2C%20including%20the%20%22Baltimore%22%20cert.%26nbsp%3B%20%26nbsp%3BAny%20advice%20or%20assistance%20would%20be%20most%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2033336%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECalling%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2033753%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Direct%20Routing%20-%20TLS%20Cert%20Renewed%2C%20but%20MS%20still%20shows%20it%20expired%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2033753%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F918605%22%20target%3D%22_blank%22%3E%40emilysam1%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9476%22%20target%3D%22_blank%22%3E%40Linus%20Cansby%3C%2FA%3E%26nbsp%3B%2C%20do%20you%20have%20ideas%20here%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

We have Direct Routing with an AudioCodes SBC.   It's been working fine for 18 months. Recently, the TLS certificate on the SBC that is used for Teams calling expired.  We renewed it on the SBC and it's status shows as "OK" with an expiration date 1 year from now.  However, on the Health Dashboard for Direct Routing on the office.com portal it's still showing the SBC as inactive because the certificate is expired.   Microsoft support said it could be 24-48 hours before it "registers" the new certificate.   I'm questioning the accuracy of this and wondering if anyone else has had an experience with an expired SBC certificate.   I have verified that the config on the SBC is correct - nothing has changed since the certificate expired other than a new CSR being generated and a new cert installed (and yes, it's from one of Microsoft's acceptable providers).  I've also verified the root certificates are installed, including the "Baltimore" cert.   Any advice or assistance would be most appreciated.

4 Replies

@emilysam1 

 

Under your SIP Interface for your Teams connection, have you verified which "TLS Context" is being used, and verified that is the TLS Context you deployed the new certificate to?

 

Do you restrict your SBC SIP signalling port to just Microsoft? If not, go to https://www.sslshopper.com/ssl-checker.html and put in the SBC IP address following by :SIPPORT, so if your SIP signalling port is 5067, it'd look like a.b.c.d:5067 where a.b.c.d is the IP address or the name.  Does the SSL Checker return what you're expecting it to be?

@jangliss @emilysam1 

I'm having the same issue.

 

SSL Checker (with port info) is directing to the right IP address of my SBC sip interface towards Teams

@mveerdonk 

 

Did it return the correct certificate? It's more than just ensuring it goes to the right IP address.