[cisco-voip] Renewing Expressway E Cert

Anthony Holloway avholloway+cisco-voip at gmail.com
Thu Apr 23 02:16:25 EDT 2020 

I think I could have written a piece of that better....

"...which is at a random/unpredictable time, where it will not for port 80
traffic to port 443 for a very specific GET Request to a very specific URL."

I think that's better.  Anyway, I read it in the documentation, so if
what I wrote is confusing, just read the docs.  1:00am email replies.
sheesh!

On Thu, Apr 23, 2020 at 1:13 AM Anthony Holloway <
avholloway+cisco-voip at gmail.com> wrote:

> First and foremost, the document describes how port 80 is used
> pretty well.  It goes on to say that its no less secure than port 443,
> because the same underlying program/process answers to both, thus is
> susceptible to the same attacks.
>
> People think it's less secure because it's clear text communication, but
> that's not pertinent to how people attack a host.  It is however, how you
> intercept communications, and then use that information to your advantage.
>
> However, the document also describes how port 80 is auto redirecting all
> traffic to 443 by default, until the renewal process starts, which is at a
> random/unpredictable time, and is only changed to redirect port 80 traffic
> to 443 for a very specific GET Request to a very specific URL.  In which
> case, the port 80 traffic is then redirected to another separate web server
> instance which is spun up just in this moment to handle the comms with
> let's encrypt, and as soon as it's done, the web server instance is turned
> off, and all port 80 traffic is again redirected to 443.
>
> So, the security of the system is actually pretty tight.  Is it 100%?
> probably not.  But then again, what truly is 100% secure?
>
> On Wed, Apr 22, 2020 at 3:42 PM Riley, Sean <SRiley at robinsonbradshaw.com>
> wrote:
>
>> Thanks for the reply and cliffs notes about the setup.  My security team
>> has concerns with having port 80 open to facility the Let’s Encrypt
>> process.  Documentation states something about allowing the built in
>> protections without giving much info on what those protections are.
>>
>>
>>
>> I would love to be able to set it and forget it.
>>
>>
>>
>> *From:* Anthony Holloway <avholloway+cisco-voip at gmail.com>
>> *Sent:* Friday, April 17, 2020 4:23 PM
>> *To:* Riley, Sean <SRiley at robinsonbradshaw.com>
>> *Cc:* cisco-voip at puck.nether.net
>> *Subject:* Re: [cisco-voip] Renewing Expressway E Cert
>>
>>
>>
>> *WARNING: **External Email *
>> ------------------------------
>>
>> This might be an unpopular opinion, but I think using the free certs
>> provided by let's encrypt, coupled with it being automatic from now on,
>> it's just an unbeatable combination.
>>
>>
>>
>> Here are my cliff notes:
>>
>>
>>
>> Reference Document:
>>
>>
>> https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_0100.html
>>
>>
>>
>> High Level Steps:
>>
>>    1. Expressway 12.5.7 to avoid ACMEv1 vs ACMEv2 registration issues (
>>    https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr82346)
>>    2. For your Unified CM registrations domains don’t use parent domain
>>    only (E.g., company.com), switch to CollabEdgeDNS format instead
>>    (E.g., collab-edge.company.com), because you’ll need that in the next
>>    step
>>    3. DNS A records for the Expressway-E FQDN and the CM registration
>>    domains
>>    4. Upload the root and intermediates for Let’s Encrypt (needed on
>>    both Expressway-E and Expressway-C) (certs are linked in documentation)
>>    5. Enable the ACME client on Expressway-E and supply any email
>>    address you want to link to this registration (This creates your account
>>    with Let’s Encrypt)
>>    6. Generate a new CSR (Server Certificate Only, Domain Cert Was Not
>>    Needed)
>>    7. Click button to Submit CSR to ACME
>>    8. Click button to Deploy New Certificate on Expressway-E
>>    (documentation states this is non-service impacting)
>>    9. Setup the automatic scheduler so you never have to deal with this
>>    again
>>    10. Sit back, relax and enjoy free shit
>>
>>
>>
>>
>>
>>
>>
>> On Fri, Apr 17, 2020 at 1:43 PM Riley, Sean <SRiley at robinsonbradshaw.com>
>> wrote:
>>
>> We had our Cisco partner setup our Expressways a couple of years ago.  It
>> is a cluster with 2 E’s and 2 C’s currently at v 12.5.7 using for MRA.  I
>> have been managing them, installing updates, troubleshooting etc.  The
>> public Edge cert is up for renewal.  Can anyone provide advice on renewing
>> this cert?  I am planning on just renewing with the same cert provider, but
>> was interested in if there is anything to watch out for.  Example, will
>> there be a service interruption when replacing the cert?  Or just install
>> the new cert/pk and rest easy?
>>
>>
>>
>> Thanks in advance.
>>
>>
>>
>> Sean.
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20200423/ca7e6d18/attachment.htm>

More information about the cisco-voip mailing list