cancel
Showing results for 
Search instead for 
Did you mean: 
mmitchell
Community Member

Anyone else have a broken Banner LMB?

Jump to solution

Our connection between Canvas and Banner stopped working on Monday, February 6th around 1 pm.

I spoke with our CSM and a few other Banner school Canvas admins and they mentioned that when Instructure recently updated their certificates, it broke the LMB.

I learned from  @tyler_clair ‌ that we need to "install the new certificate into the $JAVA_HOME/jre/lib/security/cacerts store and then reboot" but we're getting an error.

Do any of you Banner school Canvas admins know which certificate we need or where we can get it?

I hope this helps other admins working on this issue as well.

Thanks!

Tags (3)
1 Solution

Accepted Solutions
mmitchell
Community Member

Looks like we were changing the cacerts file for the wrong version of Java.

We are up and running again.

Woot!

View solution in original post

4 Replies
johnson
Community Member

This is the process Dixie State University came up with to correct the LMB cert issue with our Banner system.

Instructure (Canvas) new cert

Get the new cert from Instructure

The LMB runs on an old RHEL 4 server. Since certsca file is so old you will want to download the cert on another box.

openssl s_client -showcerts -connect canvas.instructure.com:443 >canvas.txt

Take that file and convert the certs in it to separate files.

i.e. canvas1.txt

-----BEGIN CERTIFICATE-----

MIIFTTCCBDWgAwIBAgIQCRVkoamnOFWm0jQsJoDU9zANBgkqhkiG9w0BAQsFADBN

...

MH9d4LwduJHn/lOoz1MMkX4=

-----END CERTIFICATE-----

 

canvas2.txt

-----BEGIN CERTIFICATE-----

MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh

...

j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz

-----END CERTIFICATE-----

 

Copy the canvas#.txt files to the LMB server.

Load the new certs into LMB java keystore.

If you don’t know where the java keystore is located you can run the following command to find where it may be.

 find / \( -name proc -prune \) -o -name "cacerts" -print

Ours is located at:

/usr/jdk/instances/jdk1.5.0_10/jre/lib/security/

load the file. Run this command from the above directory.

../../bin/keytool -keystore ./cacerts -import -alias canvas#2017 -file canvas#.txt

The alias just needs to be unique so I named it canvas file number and year.

 

Default password is "changeit" without the " marks.

Restart the Message broker.

The LMB should be able to send messages now.

 

.

Have a nice day. Smiley Happy

mmitchell
Community Member

Jared, thank you for posting this and thank James for writing it up.

I'm getting an error but I'm probably missing something. Here's the error:

ERROR: certificate common name `*.canvaslms.com' doesn't match requested host name `canvas.instructure.com'.

To connect to canvas.instructure.com insecurely, use `--no-check-certificate'.

Unable to establish SSL connection.

It's probably that certificate common name.

Check your cacerts file to make sure both certs are loaded.

keytool -list -keystore cacerts | grep -A1 canvas 

canvas12017, Feb 6, 2017, trustedCertEntry,
Certificate fingerprint (MD5): F4:E8:FB:CA:71:12:53:71:70:42:4A:F0:40:DA:81:62
--
canvas22017, Feb 6, 2017, trustedCertEntry,
Certificate fingerprint (MD5): 34:5E:FF:15:B7:A4:9A:DD:45:1B:65:A7:F4:BD:C6:AE
 

you should have the same fingerprints for the new cert.

mmitchell
Community Member

Looks like we were changing the cacerts file for the wrong version of Java.

We are up and running again.

Woot!

View solution in original post