Community Contributor

Anyone else have a broken Banner LMB?

Jump to solution

Our connection between Canvas and Banner stopped working on Monday, February 6th around 1 pm.

I spoke with our CSM and a few other Banner school Canvas admins and they mentioned that when Instructure recently updated their certificates, it broke the LMB.

I learned from  @tyler_clair ‌ that we need to "install the new certificate into the $JAVA_HOME/jre/lib/security/cacerts store and then reboot" but we're getting an error.

Do any of you Banner school Canvas admins know which certificate we need or where we can get it?

I hope this helps other admins working on this issue as well.


Tags (3)
1 Solution
Community Contributor

Looks like we were changing the cacerts file for the wrong version of Java.

We are up and running again.


View solution in original post

4 Replies
New Member

This is the process Dixie State University came up with to correct the LMB cert issue with our Banner system.

Instructure (Canvas) new cert

Get the new cert from Instructure

The LMB runs on an old RHEL 4 server. Since certsca file is so old you will want to download the cert on another box.

openssl s_client -showcerts -connect >canvas.txt

Take that file and convert the certs in it to separate files.

i.e. canvas1.txt














Copy the canvas#.txt files to the LMB server.

Load the new certs into LMB java keystore.

If you don’t know where the java keystore is located you can run the following command to find where it may be.

 find / \( -name proc -prune \) -o -name "cacerts" -print

Ours is located at:


load the file. Run this command from the above directory.

../../bin/keytool -keystore ./cacerts -import -alias canvas#2017 -file canvas#.txt

The alias just needs to be unique so I named it canvas file number and year.


Default password is "changeit" without the " marks.

Restart the Message broker.

The LMB should be able to send messages now.



Have a nice day. Smiley Happy

Community Contributor

Jared, thank you for posting this and thank James for writing it up.

I'm getting an error but I'm probably missing something. Here's the error:

ERROR: certificate common name `*' doesn't match requested host name `'.

To connect to insecurely, use `--no-check-certificate'.

Unable to establish SSL connection.

It's probably that certificate common name.

Check your cacerts file to make sure both certs are loaded.

keytool -list -keystore cacerts | grep -A1 canvas 

canvas12017, Feb 6, 2017, trustedCertEntry,
Certificate fingerprint (MD5): F4:E8:FB:CA:71:12:53:71:70:42:4A:F0:40:DA:81:62
canvas22017, Feb 6, 2017, trustedCertEntry,
Certificate fingerprint (MD5): 34:5E:FF:15:B7:A4:9A:DD:45:1B:65:A7:F4:BD:C6:AE

you should have the same fingerprints for the new cert.

Community Contributor

Looks like we were changing the cacerts file for the wrong version of Java.

We are up and running again.