[cisco-voip] collab edge dns/SSL cert

Ed Leatherman ealeatherman at gmail.com
Mon Jun 1 10:32:12 EDT 2015


I tried a different CSR with alternate names collab-edge.domain.edu and
expe.telecom.domain.edu , without the generic domain.edu, still same error.
I'll see what godaddy support tells me.

On Mon, Jun 1, 2015 at 10:03 AM, Matthew Loraditch <
MLoraditch at heliontechnologies.com> wrote:

>  It could be depending on what exactly was ordered, but I know godaddy
> supports having the domain as a SAN. I have it on certs I’ve bought in the
> past month for expressway and it’s actually supposed to be there:
>
>
>
>
> http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf
>
>
>
> See page 8 and 9. You can prefix collab-edge to the domain if you like,
> but if you are doing XMPP federation you need it anyway.
>
>
>
>
>
>
>
>
>
> Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA
> Network Engineer
> Direct Voice: 443.541.1518
>
>  Facebook <https://www.facebook.com/heliontech?ref=hl> | Twitter
> <https://twitter.com/HelionTech> | LinkedIn
> <https://www.linkedin.com/company/helion-technologies?trk=top_nav_home> |
> G+ <https://plus.google.com/+Heliontechnologies/posts>
>
>
>
> *From:* Chris Ward (chrward) [mailto:chrward at cisco.com]
> *Sent:* Monday, June 1, 2015 9:52 AM
> *To:* Matthew Loraditch; Ed Leatherman; Cisco VOIP
> *Subject:* RE: [cisco-voip] collab edge dns/SSL cert
>
>
>
> I think the problem is requesting your root domain. Some issuers won’t
> issue root domain certs and the ones that do call them wildcard certs as
> they cover an entire domain (support for wildcard certs are somewhat
> limited).
>
>
>
> For example, if you were to go to https://cisco.com/ rather than
> https://www.cisco.com/ you would find that the first has an invalid SSL
> cert as cisco doesn’t have a root domain cert.
>
>
>
> For the very security savvy, it is considered to be inappropriate to use
> domain-level certs.
>
>
>
> Go with just the hostname of the Expressway and potentially an actual
> alternate hostname if you ever needed to provide an alternate DNS entry to
> reach the same Expressway. In either case, drop domain.edu. You don’t
> need it and I suspect that’s that GoDaddy is complaining about.
>
>
>
> +Chris
>
> TME - MediaSense and Unity Connection
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net
> <cisco-voip-bounces at puck.nether.net>] *On Behalf Of *Matthew Loraditch
> *Sent:* Monday, June 01, 2015 9:44 AM
> *To:* Ed Leatherman; Cisco VOIP
> *Subject:* Re: [cisco-voip] collab edge dns/SSL cert
>
>
>
> https://www.sslshopper.com/csr-decoder.html
>
>
>
> Try dumping the csr in there and see if you see something unexpected.
>
>
>
> Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA
> Network Engineer
> Direct Voice: 443.541.1518
>
> Facebook <https://www.facebook.com/heliontech?ref=hl> | Twitter
> <https://twitter.com/HelionTech> | LinkedIn
> <https://www.linkedin.com/company/helion-technologies?trk=top_nav_home> |
> G+ <https://plus.google.com/+Heliontechnologies/posts>
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net
> <cisco-voip-bounces at puck.nether.net>] *On Behalf Of *Ed Leatherman
> *Sent:* Monday, June 1, 2015 9:41 AM
> *To:* Cisco VOIP
> *Subject:* [cisco-voip] collab edge dns/SSL cert
>
>
>
> Hello everyone!
>
>
>
> I'm getting an error kicked back from GoDaddy trying to sign my
> expressway-e cert, looking for a sanity check here.
>
>
>
> I'm setting up the external side as a cluster (of 1 currently), I'd like
> for my users to be able to sign in as username at domain.edu for MRA.
>
>
>
> dns:
>
> expressway-e is expe-cluster1-node1.domain.edu
>
> srv = _collab-edge._tls.domain.edu , sips._tcp.domain.edu both point to
> the expe-cluster1-node1
>
>
>
> exp-e cluster name is domain.edu
>
>
>
> on my CSR i have it set to generate a SAN for FQDN of expressway cluster
> plus FQDN of this peer, so:
>
> DNS:expe-cluster1-node1.domain.edu
>
> DNS:domain.edu
>
>
>
> GoDaddy kicks back an error saying "You can not add a SAN that is the same
> as the domain you are already using."
>
>
>
> Is my dns/SAN configuration incorrect or is this a deficiency with godaddy
> (standard UCC cert)? Or did I miss the boat completely (totally possible!)
>
>
>
>
>
>
>
>
>
>
> --
>
> Ed Leatherman
>



-- 
Ed Leatherman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150601/6599bbb9/attachment.html>


More information about the cisco-voip mailing list