[cisco-voip] collab edge dns/SSL cert

Justin Steinberg jsteinberg at gmail.com
Mon Jun 1 16:24:05 EDT 2015


Click through the error.  Dont modify the CSR or take out SANs.   The fqdn
should be in the CN and SAN.  I dont know why godaddy complains about that
but I just ignore it and things are fine.

Justin
On Jun 1, 2015 1:49 PM, "Ed Leatherman" <ealeatherman at gmail.com> wrote:

> Matt had it right with his suggestion of dumping the CSR into the decoder,
> although I wouldn't have recognized it as a problem.
>
> When expressway generates the CSR it is adding a SAN entry that is
> identical to the CN. So it doesn't seem like having my root domain in there
> was the problem to begin with. According to the GoDaddy support person that
> was what was kicking the error - and apparently if you just click through
> the error it will generate the cert anyway, i'm assuming it will just leave
> out that offending SAN entry.
>
> I'll circle around once we have the verifications done and have a chance
> to upload it.
>
> On Mon, Jun 1, 2015 at 10:32 AM, Ed Leatherman <ealeatherman at gmail.com>
> wrote:
>
>> I tried a different CSR with alternate names collab-edge.domain.edu and
>> expe.telecom.domain.edu , without the generic domain.edu, still same
>> error. I'll see what godaddy support tells me.
>>
>> On Mon, Jun 1, 2015 at 10:03 AM, Matthew Loraditch <
>> MLoraditch at heliontechnologies.com> wrote:
>>
>>>  It could be depending on what exactly was ordered, but I know godaddy
>>> supports having the domain as a SAN. I have it on certs I’ve bought in the
>>> past month for expressway and it’s actually supposed to be there:
>>>
>>>
>>>
>>>
>>> http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf
>>>
>>>
>>>
>>> See page 8 and 9. You can prefix collab-edge to the domain if you like,
>>> but if you are doing XMPP federation you need it anyway.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA
>>> Network Engineer
>>> Direct Voice: 443.541.1518
>>>
>>>  Facebook <https://www.facebook.com/heliontech?ref=hl> | Twitter
>>> <https://twitter.com/HelionTech> | LinkedIn
>>> <https://www.linkedin.com/company/helion-technologies?trk=top_nav_home>
>>> | G+ <https://plus.google.com/+Heliontechnologies/posts>
>>>
>>>
>>>
>>> *From:* Chris Ward (chrward) [mailto:chrward at cisco.com]
>>> *Sent:* Monday, June 1, 2015 9:52 AM
>>> *To:* Matthew Loraditch; Ed Leatherman; Cisco VOIP
>>> *Subject:* RE: [cisco-voip] collab edge dns/SSL cert
>>>
>>>
>>>
>>> I think the problem is requesting your root domain. Some issuers won’t
>>> issue root domain certs and the ones that do call them wildcard certs as
>>> they cover an entire domain (support for wildcard certs are somewhat
>>> limited).
>>>
>>>
>>>
>>> For example, if you were to go to https://cisco.com/ rather than
>>> https://www.cisco.com/ you would find that the first has an invalid SSL
>>> cert as cisco doesn’t have a root domain cert.
>>>
>>>
>>>
>>> For the very security savvy, it is considered to be inappropriate to use
>>> domain-level certs.
>>>
>>>
>>>
>>> Go with just the hostname of the Expressway and potentially an actual
>>> alternate hostname if you ever needed to provide an alternate DNS entry to
>>> reach the same Expressway. In either case, drop domain.edu. You don’t
>>> need it and I suspect that’s that GoDaddy is complaining about.
>>>
>>>
>>>
>>> +Chris
>>>
>>> TME - MediaSense and Unity Connection
>>>
>>>
>>>
>>> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net
>>> <cisco-voip-bounces at puck.nether.net>] *On Behalf Of *Matthew Loraditch
>>> *Sent:* Monday, June 01, 2015 9:44 AM
>>> *To:* Ed Leatherman; Cisco VOIP
>>> *Subject:* Re: [cisco-voip] collab edge dns/SSL cert
>>>
>>>
>>>
>>> https://www.sslshopper.com/csr-decoder.html
>>>
>>>
>>>
>>> Try dumping the csr in there and see if you see something unexpected.
>>>
>>>
>>>
>>> Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA
>>> Network Engineer
>>> Direct Voice: 443.541.1518
>>>
>>> Facebook <https://www.facebook.com/heliontech?ref=hl> | Twitter
>>> <https://twitter.com/HelionTech> | LinkedIn
>>> <https://www.linkedin.com/company/helion-technologies?trk=top_nav_home>
>>> | G+ <https://plus.google.com/+Heliontechnologies/posts>
>>>
>>>
>>>
>>> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net
>>> <cisco-voip-bounces at puck.nether.net>] *On Behalf Of *Ed Leatherman
>>> *Sent:* Monday, June 1, 2015 9:41 AM
>>> *To:* Cisco VOIP
>>> *Subject:* [cisco-voip] collab edge dns/SSL cert
>>>
>>>
>>>
>>> Hello everyone!
>>>
>>>
>>>
>>> I'm getting an error kicked back from GoDaddy trying to sign my
>>> expressway-e cert, looking for a sanity check here.
>>>
>>>
>>>
>>> I'm setting up the external side as a cluster (of 1 currently), I'd like
>>> for my users to be able to sign in as username at domain.edu for MRA.
>>>
>>>
>>>
>>> dns:
>>>
>>> expressway-e is expe-cluster1-node1.domain.edu
>>>
>>> srv = _collab-edge._tls.domain.edu , sips._tcp.domain.edu both point to
>>> the expe-cluster1-node1
>>>
>>>
>>>
>>> exp-e cluster name is domain.edu
>>>
>>>
>>>
>>> on my CSR i have it set to generate a SAN for FQDN of expressway cluster
>>> plus FQDN of this peer, so:
>>>
>>> DNS:expe-cluster1-node1.domain.edu
>>>
>>> DNS:domain.edu
>>>
>>>
>>>
>>> GoDaddy kicks back an error saying "You can not add a SAN that is the
>>> same as the domain you are already using."
>>>
>>>
>>>
>>> Is my dns/SAN configuration incorrect or is this a deficiency with
>>> godaddy (standard UCC cert)? Or did I miss the boat completely (totally
>>> possible!)
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Ed Leatherman
>>>
>>
>>
>>
>> --
>> Ed Leatherman
>>
>
>
>
> --
> Ed Leatherman
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150601/c4e0f17d/attachment.html>


More information about the cisco-voip mailing list