[cisco-voip] let's encrypt for local admin gui pages
Lelio Fulgenzi
lelio at uoguelph.ca
Tue Sep 26 10:28:06 EDT 2017
Thanks - you outlined the issues as I suspected them.
I was thinking more about the admin gui for things like CIMC, and other non-client facing services. But again, the same issues apply.
Hopefully they modify their model slightly for appliance based systems -or- the partners that are participating build a Let's Encrypt option for the certificates in their products.
---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph
519-824-4120 Ext 56354
lelio at uoguelph.ca
www.uoguelph.ca/ccs
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1
From: Ryan Huff [mailto:ryanhuff at outlook.com]
Sent: Tuesday, September 26, 2017 10:24 AM
To: Lelio Fulgenzi; voyp list, cisco-voip (cisco-voip at puck.nether.net)
Subject: Re: let's encrypt for local admin gui pages
Its theoretically possible to take the CUCM tomcat CSR and use it to get LE to sign a cert, then take the resulting cert and attempt to upload it to CUCM however; if it worked, LE only signs certificates for 90 days. So if you did get it to work, you'd have to do it every 90 days (the built in LE package on other Linux distros have built in tools to auto manage the renewal process, but no way to do it with CUCM).
... but thats if the moon is blue and you have a winning lotto ticket. To even get to that point, would be a feat; let me explain.
The way LE for Linux signs certs is to install local software on the web server that will do an automatic Internet based FQDN check (meaning it automatically looks up the FQDN from the perspective of the Internet) during the signing request. Once it finds the domain, it queries for a specific item within the web path to verify that domain belongs to the same person that started the certification signing request (this isn't a lot different than the way Google or GoDaddy does it). However, the CSR must exist in a specific location on the server you are trying to sign the cert for. Once all criteria is met, LE automatically creates a vaild SSL certificate for the web server that is signed for 90 days and installs it on the web server.
So in order to even try and get this to sign a cert for a CUCM CSR you'd have to;
* Create an Internet facing Linux web server that mimics all the network details of the CUCM server and try to get LE to sign the CUCM CSR on that web server (you'd take CUCM's CSR and upload it to the Linux Web Server).
* Extract the signed .pem from the web server and attempt to upload to CUCM as a tomcat (you'll also need to grab LE's root CA and upload it to the tomcat-trust)
In theory it might work, but is a helluva effort for 90 days just to get free certs, then do it all over again. Now if you got it to work and had a good workflow every 90 days ... maybe not that bad? The other thing to consider that I'm not sure about in CMR cases (thinking if you tried this on an Expressway Edge) is if Cisco Collab Cloud (i.e WebEx) would trust the CA.
Thanks,
Ryan
________________________________
From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> on behalf of Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>
Sent: Tuesday, September 26, 2017 10:00 AM
To: voyp list, cisco-voip (cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>)
Subject: [cisco-voip] let's encrypt for local admin gui pages
Has anyone been successful in deploying Let's Encrypt certificates on appliance based gui's? Seems like Let's Encrypt is a cloud based service, which has proxy support, but it's still client based with short certificate periods.
---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph
519-824-4120 Ext 56354
lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs>
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20170926/83947f6a/attachment.html>
More information about the cisco-voip
mailing list