[cisco-voip] let's encrypt for local admin gui pages

Nathan Reeves nathan.a.reeves at gmail.com
Tue Sep 26 20:58:53 EDT 2017


I've been using it on Lab boxes without issue.  The 90 day expiry is a pain
but for lab acceptable atm.

In terms of generating / renewing the certs, you can use the web server
validation process outlined by Ryan, but you can also use DNS record
validation (which is what I've been doing).  Whether you're able to do that
for your environment is the question.

For reference, the certs load up fine and all services appear to work as
far as my testing goes (it is a standard cert of course).  Expressways and
Phone Reg via MRA also works fine when using the LE Certs.  Wasn't sure it
was going to due to the specific list of certs the devices registering via
MRA can support, but all worked well.

I did come across https://www.yarnlab.io/certmate/ (though not actually
tested it) which appeared (at least on the Expressways) to do the renewal
process automatically using the available api's.

Nathan

On Tue, Sep 26, 2017 at 10:28 PM, Lelio Fulgenzi <lelio at uoguelph.ca> wrote:

>
>
> Thanks – you outlined the issues as I suspected them.
>
>
>
> I was thinking more about the admin gui for things like CIMC, and other
> non-client facing services. But again, the same issues apply.
>
>
>
> Hopefully they modify their model slightly for appliance based systems
> –or- the partners that are participating build a Let’s Encrypt option for
> the certificates in their products.
>
>
>
>
>
> ---
>
> Lelio Fulgenzi, B.A.
>
> Senior Analyst, Network Infrastructure
>
> Computing and Communications Services (CCS)
>
> University of Guelph
>
>
>
> 519-824-4120 Ext 56354 <(519)%20824-4120>
>
> lelio at uoguelph.ca
>
> www.uoguelph.ca/ccs
>
> Room 037, Animal Science and Nutrition Building
>
> Guelph, Ontario, N1G 2W1
>
>
>
> *From:* Ryan Huff [mailto:ryanhuff at outlook.com]
> *Sent:* Tuesday, September 26, 2017 10:24 AM
> *To:* Lelio Fulgenzi; voyp list, cisco-voip (cisco-voip at puck.nether.net)
> *Subject:* Re: let's encrypt for local admin gui pages
>
>
>
> Its theoretically possible to take the CUCM tomcat CSR and use it to get
> LE to sign a cert, then take the resulting cert and attempt to upload it to
> CUCM however; if it worked, LE only signs certificates for 90 days. So if
> you did get it to work, you'd have to do it every 90 days (the built in LE
> package on other Linux distros have built in tools to auto manage the
> renewal process, but no way to do it with CUCM).
>
>
>
> ... but thats if the moon is blue and you have a winning lotto ticket. To
> even get to that point, would be a feat; let me explain.
>
>
>
> The way LE for Linux signs certs is to install local software on the web
> server that will do an automatic Internet based FQDN check (meaning it
> automatically looks up the FQDN from the perspective of the Internet)
> during the signing request. Once it finds the domain, it queries for a
> specific item within the web path to verify that domain belongs to the same
> person that started the certification signing request (this isn't a lot
> different than the way Google or GoDaddy does it). However, the CSR must
> exist in a specific location on the server you are trying to sign the cert
> for. Once all criteria is met, LE automatically creates a vaild SSL
> certificate for the web server that is signed for 90 days and installs it
> on the web server.
>
>
>
> So in order to even try and get this to sign a cert for a CUCM CSR you'd
> have to;
>
>    - Create an Internet facing Linux web server that mimics all the
>    network details of the CUCM server and try to get LE to sign the CUCM CSR
>    on that web server (you'd take CUCM's CSR and upload it to the Linux Web
>    Server).
>    - Extract the signed .pem from the web server and attempt to upload to
>    CUCM as a tomcat (you'll also need to grab LE's root CA and upload it to
>    the tomcat-trust)
>
>
>
> In theory it might work, but is a helluva effort for 90 days just to get
> free certs, then do it all over again. Now if you got it to work and had a
> good workflow every 90 days ... maybe not that bad? The other thing to
> consider that I'm not sure about in CMR cases (thinking if you tried this
> on an Expressway Edge) is if Cisco Collab Cloud (i.e WebEx) would trust the
> CA.
>
>
>
> Thanks,
>
>
>
> Ryan
>
>
> ------------------------------
>
> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> on behalf of
> Lelio Fulgenzi <lelio at uoguelph.ca>
> *Sent:* Tuesday, September 26, 2017 10:00 AM
> *To:* voyp list, cisco-voip (cisco-voip at puck.nether.net)
> *Subject:* [cisco-voip] let's encrypt for local admin gui pages
>
>
>
>
>
> Has anyone been successful in deploying Let’s Encrypt certificates on
> appliance based gui’s? Seems like Let’s Encrypt is a cloud based service,
> which has proxy support, but it’s still client based with short certificate
> periods.
>
>
>
>
>
> ---
>
> Lelio Fulgenzi, B.A.
>
> Senior Analyst, Network Infrastructure
>
> Computing and Communications Services (CCS)
>
> University of Guelph
>
>
>
> 519-824-4120 Ext 56354 <(519)%20824-4120>
>
> lelio at uoguelph.ca
>
> www.uoguelph.ca/ccs
>
> Room 037, Animal Science and Nutrition Building
>
> Guelph, Ontario, N1G 2W1
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20170927/642402e7/attachment.html>


More information about the cisco-voip mailing list