[cisco-voip] Renewing Expressway E Cert

Thu Apr 23 02:13:41 EDT 2020

First and foremost, the document describes how port 80 is used
pretty well.  It goes on to say that its no less secure than port 443,
because the same underlying program/process answers to both, thus is
susceptible to the same attacks.

People think it's less secure because it's clear text communication, but
that's not pertinent to how people attack a host.  It is however, how you
intercept communications, and then use that information to your advantage.

However, the document also describes how port 80 is auto redirecting all
traffic to 443 by default, until the renewal process starts, which is at a
random/unpredictable time, and is only changed to redirect port 80 traffic
to 443 for a very specific GET Request to a very specific URL.  In which
case, the port 80 traffic is then redirected to another separate web server
instance which is spun up just in this moment to handle the comms with
let's encrypt, and as soon as it's done, the web server instance is turned
off, and all port 80 traffic is again redirected to 443.

So, the security of the system is actually pretty tight.  Is it 100%?
probably not.  But then again, what truly is 100% secure?

On Wed, Apr 22, 2020 at 3:42 PM Riley, Sean <SRiley at robinsonbradshaw.com>
wrote:

> Thanks for the reply and cliffs notes about the setup.  My security team
> has concerns with having port 80 open to facility the Let’s Encrypt
> process.  Documentation states something about allowing the built in
> protections without giving much info on what those protections are.
>
>
>
> I would love to be able to set it and forget it.
>
>
>
> *From:* Anthony Holloway <avholloway+cisco-voip at gmail.com>
> *Sent:* Friday, April 17, 2020 4:23 PM
> *To:* Riley, Sean <SRiley at robinsonbradshaw.com>
> *Cc:* cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] Renewing Expressway E Cert
>
>
>
> *WARNING: **External Email *
> ------------------------------
>
> This might be an unpopular opinion, but I think using the free certs
> provided by let's encrypt, coupled with it being automatic from now on,
> it's just an unbeatable combination.
>
>
>
> Here are my cliff notes:
>
>
>
> Reference Document:
>
>
> https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_0100.html
>
>
>
> High Level Steps:
>
>    1. Expressway 12.5.7 to avoid ACMEv1 vs ACMEv2 registration issues (
>    https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr82346)
>    2. For your Unified CM registrations domains don’t use parent domain
>    only (E.g., company.com), switch to CollabEdgeDNS format instead
>    (E.g., collab-edge.company.com), because you’ll need that in the next
>    step
>    3. DNS A records for the Expressway-E FQDN and the CM registration
>    domains
>    4. Upload the root and intermediates for Let’s Encrypt (needed on both
>    Expressway-E and Expressway-C) (certs are linked in documentation)
>    5. Enable the ACME client on Expressway-E and supply any email address
>    you want to link to this registration (This creates your account with Let’s
>    Encrypt)
>    6. Generate a new CSR (Server Certificate Only, Domain Cert Was Not
>    Needed)
>    7. Click button to Submit CSR to ACME
>    8. Click button to Deploy New Certificate on Expressway-E
>    (documentation states this is non-service impacting)
>    9. Setup the automatic scheduler so you never have to deal with this
>    again
>    10. Sit back, relax and enjoy free shit
>
>
>
>
>
>
>
> On Fri, Apr 17, 2020 at 1:43 PM Riley, Sean <SRiley at robinsonbradshaw.com>
> wrote:
>
> We had our Cisco partner setup our Expressways a couple of years ago.  It
> is a cluster with 2 E’s and 2 C’s currently at v 12.5.7 using for MRA.  I
> have been managing them, installing updates, troubleshooting etc.  The
> public Edge cert is up for renewal.  Can anyone provide advice on renewing
> this cert?  I am planning on just renewing with the same cert provider, but
> was interested in if there is anything to watch out for.  Example, will
> there be a service interruption when replacing the cert?  Or just install
> the new cert/pk and rest easy?
>
>
>
> Thanks in advance.
>
>
>
> Sean.
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200423/0f35937a/attachment.htm>