[cisco-voip] collab edge dns/SSL cert

Ed Leatherman ealeatherman at gmail.com
Mon Jun 1 13:48:32 EDT 2015


Matt had it right with his suggestion of dumping the CSR into the decoder,
although I wouldn't have recognized it as a problem.

When expressway generates the CSR it is adding a SAN entry that is
identical to the CN. So it doesn't seem like having my root domain in there
was the problem to begin with. According to the GoDaddy support person that
was what was kicking the error - and apparently if you just click through
the error it will generate the cert anyway, i'm assuming it will just leave
out that offending SAN entry.

I'll circle around once we have the verifications done and have a chance to
upload it.

On Mon, Jun 1, 2015 at 10:32 AM, Ed Leatherman <ealeatherman at gmail.com>
wrote:

> I tried a different CSR with alternate names collab-edge.domain.edu and
> expe.telecom.domain.edu , without the generic domain.edu, still same
> error. I'll see what godaddy support tells me.
>
> On Mon, Jun 1, 2015 at 10:03 AM, Matthew Loraditch <
> MLoraditch at heliontechnologies.com> wrote:
>
>>  It could be depending on what exactly was ordered, but I know godaddy
>> supports having the domain as a SAN. I have it on certs I’ve bought in the
>> past month for expressway and it’s actually supposed to be there:
>>
>>
>>
>>
>> http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf
>>
>>
>>
>> See page 8 and 9. You can prefix collab-edge to the domain if you like,
>> but if you are doing XMPP federation you need it anyway.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA
>> Network Engineer
>> Direct Voice: 443.541.1518
>>
>>  Facebook <https://www.facebook.com/heliontech?ref=hl> | Twitter
>> <https://twitter.com/HelionTech> | LinkedIn
>> <https://www.linkedin.com/company/helion-technologies?trk=top_nav_home>
>> | G+ <https://plus.google.com/+Heliontechnologies/posts>
>>
>>
>>
>> *From:* Chris Ward (chrward) [mailto:chrward at cisco.com]
>> *Sent:* Monday, June 1, 2015 9:52 AM
>> *To:* Matthew Loraditch; Ed Leatherman; Cisco VOIP
>> *Subject:* RE: [cisco-voip] collab edge dns/SSL cert
>>
>>
>>
>> I think the problem is requesting your root domain. Some issuers won’t
>> issue root domain certs and the ones that do call them wildcard certs as
>> they cover an entire domain (support for wildcard certs are somewhat
>> limited).
>>
>>
>>
>> For example, if you were to go to https://cisco.com/ rather than
>> https://www.cisco.com/ you would find that the first has an invalid SSL
>> cert as cisco doesn’t have a root domain cert.
>>
>>
>>
>> For the very security savvy, it is considered to be inappropriate to use
>> domain-level certs.
>>
>>
>>
>> Go with just the hostname of the Expressway and potentially an actual
>> alternate hostname if you ever needed to provide an alternate DNS entry to
>> reach the same Expressway. In either case, drop domain.edu. You don’t
>> need it and I suspect that’s that GoDaddy is complaining about.
>>
>>
>>
>> +Chris
>>
>> TME - MediaSense and Unity Connection
>>
>>
>>
>> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net
>> <cisco-voip-bounces at puck.nether.net>] *On Behalf Of *Matthew Loraditch
>> *Sent:* Monday, June 01, 2015 9:44 AM
>> *To:* Ed Leatherman; Cisco VOIP
>> *Subject:* Re: [cisco-voip] collab edge dns/SSL cert
>>
>>
>>
>> https://www.sslshopper.com/csr-decoder.html
>>
>>
>>
>> Try dumping the csr in there and see if you see something unexpected.
>>
>>
>>
>> Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA
>> Network Engineer
>> Direct Voice: 443.541.1518
>>
>> Facebook <https://www.facebook.com/heliontech?ref=hl> | Twitter
>> <https://twitter.com/HelionTech> | LinkedIn
>> <https://www.linkedin.com/company/helion-technologies?trk=top_nav_home>
>> | G+ <https://plus.google.com/+Heliontechnologies/posts>
>>
>>
>>
>> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net
>> <cisco-voip-bounces at puck.nether.net>] *On Behalf Of *Ed Leatherman
>> *Sent:* Monday, June 1, 2015 9:41 AM
>> *To:* Cisco VOIP
>> *Subject:* [cisco-voip] collab edge dns/SSL cert
>>
>>
>>
>> Hello everyone!
>>
>>
>>
>> I'm getting an error kicked back from GoDaddy trying to sign my
>> expressway-e cert, looking for a sanity check here.
>>
>>
>>
>> I'm setting up the external side as a cluster (of 1 currently), I'd like
>> for my users to be able to sign in as username at domain.edu for MRA.
>>
>>
>>
>> dns:
>>
>> expressway-e is expe-cluster1-node1.domain.edu
>>
>> srv = _collab-edge._tls.domain.edu , sips._tcp.domain.edu both point to
>> the expe-cluster1-node1
>>
>>
>>
>> exp-e cluster name is domain.edu
>>
>>
>>
>> on my CSR i have it set to generate a SAN for FQDN of expressway cluster
>> plus FQDN of this peer, so:
>>
>> DNS:expe-cluster1-node1.domain.edu
>>
>> DNS:domain.edu
>>
>>
>>
>> GoDaddy kicks back an error saying "You can not add a SAN that is the
>> same as the domain you are already using."
>>
>>
>>
>> Is my dns/SAN configuration incorrect or is this a deficiency with
>> godaddy (standard UCC cert)? Or did I miss the boat completely (totally
>> possible!)
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> Ed Leatherman
>>
>
>
>
> --
> Ed Leatherman
>



-- 
Ed Leatherman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150601/681d4feb/attachment.html>


More information about the cisco-voip mailing list