- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our connection between Canvas and Banner stopped working on Monday, February 6th around 1 pm.
I spoke with our CSM and a few other Banner school Canvas admins and they mentioned that when Instructure recently updated their certificates, it broke the LMB.
I learned from @tyler_clair that we need to "install the new certificate into the $JAVA_HOME/jre/lib/security/cacerts store and then reboot" but we're getting an error.
Do any of you Banner school Canvas admins know which certificate we need or where we can get it?
I hope this helps other admins working on this issue as well.
Thanks!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like we were changing the cacerts file for the wrong version of Java.
We are up and running again.
Woot!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the process Dixie State University came up with to correct the LMB cert issue with our Banner system.
Instructure (Canvas) new cert
Get the new cert from Instructure
The LMB runs on an old RHEL 4 server. Since certsca file is so old you will want to download the cert on another box.
openssl s_client -showcerts -connect canvas.instructure.com:443 >canvas.txt
Take that file and convert the certs in it to separate files.
i.e. canvas1.txt
-----BEGIN CERTIFICATE-----
MIIFTTCCBDWgAwIBAgIQCRVkoamnOFWm0jQsJoDU9zANBgkqhkiG9w0BAQsFADBN
...
MH9d4LwduJHn/lOoz1MMkX4=
-----END CERTIFICATE-----
canvas2.txt
-----BEGIN CERTIFICATE-----
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
...
j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
-----END CERTIFICATE-----
Copy the canvas#.txt files to the LMB server.
Load the new certs into LMB java keystore.
If you don’t know where the java keystore is located you can run the following command to find where it may be.
find / \( -name proc -prune \) -o -name "cacerts" -print
Ours is located at:
/usr/jdk/instances/jdk1.5.0_10/jre/lib/security/
load the file. Run this command from the above directory.
../../bin/keytool -keystore ./cacerts -import -alias canvas#2017 -file canvas#.txt
The alias just needs to be unique so I named it canvas file number and year.
Default password is "changeit" without the " marks.
Restart the Message broker.
The LMB should be able to send messages now.
.
Have a nice day.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jared, thank you for posting this and thank James for writing it up.
I'm getting an error but I'm probably missing something. Here's the error:
ERROR: certificate common name `*.canvaslms.com' doesn't match requested host name `canvas.instructure.com'.
To connect to canvas.instructure.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
It's probably that certificate common name.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check your cacerts file to make sure both certs are loaded.
keytool -list -keystore cacerts | grep -A1 canvas
canvas12017, Feb 6, 2017, trustedCertEntry,
Certificate fingerprint (MD5): F4:E8:FB:CA:71:12:53:71:70:42:4A:F0:40:DA:81:62
--
canvas22017, Feb 6, 2017, trustedCertEntry,
Certificate fingerprint (MD5): 34:5E:FF:15:B7:A4:9A:DD:45:1B:65:A7:F4:BD:C6:AE
you should have the same fingerprints for the new cert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like we were changing the cacerts file for the wrong version of Java.
We are up and running again.
Woot!
