Panda Bot (beta)

mmitchell · ‎02-08-2017

Our connection between Canvas and Banner stopped working on Monday, February 6th around 1 pm.

I spoke with our CSM and a few other Banner school Canvas admins and they mentioned that when Instructure recently updated their certificates, it broke the LMB.

I learned from @tyler_clair ‌ that we need to "install the new certificate into the $JAVA_HOME/jre/lib/security/cacerts store and then reboot" but we're getting an error.

Do any of you Banner school Canvas admins know which certificate we need or where we can get it?

I hope this helps other admins working on this issue as well.

Thanks!

mmitchell · ‎02-09-2017

Looks like we were changing the cacerts file for the wrong version of Java.

We are up and running again.

Woot!

View solution in original post

johnson · ‎02-09-2017

This is the process Dixie State University came up with to correct the LMB cert issue with our Banner system.

Instructure (Canvas) new cert

Get the new cert from Instructure

The LMB runs on an old RHEL 4 server. Since certsca file is so old you will want to download the cert on another box.

openssl s_client -showcerts -connect canvas.instructure.com:443 >canvas.txt

Take that file and convert the certs in it to separate files.

i.e. canvas1.txt

-----BEGIN CERTIFICATE-----

MIIFTTCCBDWgAwIBAgIQCRVkoamnOFWm0jQsJoDU9zANBgkqhkiG9w0BAQsFADBN

...

MH9d4LwduJHn/lOoz1MMkX4=

-----END CERTIFICATE-----

canvas2.txt

-----BEGIN CERTIFICATE-----

MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh

...

j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz

-----END CERTIFICATE-----

Copy the canvas#.txt files to the LMB server.

Load the new certs into LMB java keystore.

If you don’t know where the java keystore is located you can run the following command to find where it may be.

find / $ -name proc -prune $ -o -name "cacerts" -print

Ours is located at:

/usr/jdk/instances/jdk1.5.0_10/jre/lib/security/

load the file. Run this command from the above directory.

../../bin/keytool -keystore ./cacerts -import -alias canvas#2017 -file canvas#.txt

The alias just needs to be unique so I named it canvas file number and year.

Default password is "changeit" without the " marks.

Restart the Message broker.

The LMB should be able to send messages now.

.

Have a nice day.

mmitchell · ‎02-09-2017

Jared, thank you for posting this and thank James for writing it up.

I'm getting an error but I'm probably missing something. Here's the error:

ERROR: certificate common name `*.canvaslms.com' doesn't match requested host name `canvas.instructure.com'.

To connect to canvas.instructure.com insecurely, use `--no-check-certificate'.

Unable to establish SSL connection.

It's probably that certificate common name.

miller_j · ‎02-09-2017

Check your cacerts file to make sure both certs are loaded.

keytool -list -keystore cacerts | grep -A1 canvas

canvas12017, Feb 6, 2017, trustedCertEntry,
Certificate fingerprint (MD5): F4:E8:FB:CA:71:12:53:71:70:42:4A:F0:40:DA:81:62
--
canvas22017, Feb 6, 2017, trustedCertEntry,
Certificate fingerprint (MD5): 34:5E:FF:15:B7:A4:9A:DD:45:1B:65:A7:F4:BD:C6:AE

you should have the same fingerprints for the new cert.

mmitchell · ‎02-09-2017

Looks like we were changing the cacerts file for the wrong version of Java.

We are up and running again.

Woot!

Anyone else have a broken Banner LMB?

ILP Integration

How long do you keep student user data in Canvas b...

How to setup Parent Observers with Guest accounts ...

Has anyone used EduSynch as an online proctoring s...

How do I obtain a student total activity?

ILP Integration

Profile Photo Submission Notifications

Report/Count Number of Observers & Last Login/Acti...

How long do you keep student user data in Canvas b...

Let's Talk about CyberSecurity

You're signed out

Anyone else have a broken Banner LMB?

Panda Bot (beta)

View our top guides and resources: