<div dir="ltr">I tried a different CSR with alternate names <a href="http://collab-edge.domain.edu">collab-edge.domain.edu</a> and <a href="http://expe.telecom.domain.edu">expe.telecom.domain.edu</a> , without the generic <a href="http://domain.edu">domain.edu</a>, still same error. I'll see what godaddy support tells me.</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 1, 2015 at 10:03 AM, Matthew Loraditch <span dir="ltr"><<a href="mailto:MLoraditch@heliontechnologies.com" target="_blank">MLoraditch@heliontechnologies.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div lang="EN-US" link="blue" vlink="purple">

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">It could be depending on what exactly was ordered, but I know godaddy supports having the domain as a SAN. I have it on certs I’ve bought in the past month for

 expressway and it’s actually supposed to be there:<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf" target="_blank">http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf</a><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">See page 8 and 9. You can prefix collab-edge to the domain if you like, but if you are doing XMPP federation you need it anyway.<u></u><u></u></span></p><span class="">

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA<br>

Network Engineer<br>

Direct Voice: <a href="tel:443.541.1518" value="+14435411518" target="_blank">443.541.1518</a></span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><br>

<br>

<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://www.facebook.com/heliontech?ref=hl" target="_blank"><span style="font-size:8.0pt">Facebook</span></a></span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1f497d">

 | </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://twitter.com/HelionTech" target="_blank"><span style="font-size:8.0pt">Twitter</span></a></span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1f497d">

 | </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://www.linkedin.com/company/helion-technologies?trk=top_nav_home" target="_blank"><span style="font-size:8.0pt">LinkedIn</span></a></span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1f497d">

 | </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://plus.google.com/+Heliontechnologies/posts" target="_blank"><span style="font-size:8.0pt">G+</span></a><u></u><u></u></span></p>

</div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

</span><div>

<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Chris Ward (chrward) [mailto:<a href="mailto:chrward@cisco.com" target="_blank">chrward@cisco.com</a>]

<br>

<b>Sent:</b> Monday, June 1, 2015 9:52 AM<br>

<b>To:</b> Matthew Loraditch; Ed Leatherman; Cisco VOIP<br>

<b>Subject:</b> RE: [cisco-voip] collab edge dns/SSL cert<u></u><u></u></span></p>

</div>

</div><div><div class="h5">

<p class="MsoNormal"><u></u> <u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I think the problem is requesting your root domain. Some issuers won’t issue root domain certs and the ones that do call them wildcard certs as they cover an

 entire domain (support for wildcard certs are somewhat limited). <u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">For example, if you were to go to

<a href="https://cisco.com/" target="_blank">https://cisco.com/</a> rather than <a href="https://www.cisco.com/" target="_blank">

https://www.cisco.com/</a> you would find that the first has an invalid SSL cert as cisco doesn’t have a root domain cert.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">For the very security savvy, it is considered to be inappropriate to use domain-level certs.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Go with just the hostname of the Expressway and potentially an actual alternate hostname if you ever needed to provide an alternate DNS entry to reach the same

 Expressway. In either case, drop <a href="http://domain.edu" target="_blank">domain.edu</a>. You don’t need it and I suspect that’s that GoDaddy is complaining about.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546a">+Chris<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546a">TME - MediaSense and Unity Connection<u></u><u></u></span></p>

</div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<div>

<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> cisco-voip [<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">mailto:cisco-voip-bounces@puck.nether.net</a>]

<b>On Behalf Of </b>Matthew Loraditch<br>

<b>Sent:</b> Monday, June 01, 2015 9:44 AM<br>

<b>To:</b> Ed Leatherman; Cisco VOIP<br>

<b>Subject:</b> Re: [cisco-voip] collab edge dns/SSL cert<u></u><u></u></span></p>

</div>

</div>

<p class="MsoNormal"><u></u> <u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://www.sslshopper.com/csr-decoder.html" target="_blank">https://www.sslshopper.com/csr-decoder.html</a><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Try dumping the csr in there and see if you see something unexpected.

<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA<br>

Network Engineer<br>

Direct Voice: <a href="tel:443.541.1518" value="+14435411518" target="_blank">443.541.1518</a></span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://www.facebook.com/heliontech?ref=hl" target="_blank"><span style="font-size:8.0pt">Facebook</span></a></span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1f497d">

 | </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://twitter.com/HelionTech" target="_blank"><span style="font-size:8.0pt">Twitter</span></a></span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1f497d">

 | </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://www.linkedin.com/company/helion-technologies?trk=top_nav_home" target="_blank"><span style="font-size:8.0pt">LinkedIn</span></a></span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1f497d">

 | </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://plus.google.com/+Heliontechnologies/posts" target="_blank"><span style="font-size:8.0pt">G+</span></a><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> cisco-voip [<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">mailto:cisco-voip-bounces@puck.nether.net</a>]

<b>On Behalf Of </b>Ed Leatherman<br>

<b>Sent:</b> Monday, June 1, 2015 9:41 AM<br>

<b>To:</b> Cisco VOIP<br>

<b>Subject:</b> [cisco-voip] collab edge dns/SSL cert<u></u><u></u></span></p>

<p class="MsoNormal"><u></u> <u></u></p>

<div>

<p class="MsoNormal">Hello everyone!<u></u><u></u></p>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">I'm getting an error kicked back from GoDaddy trying to sign my expressway-e cert, looking for a sanity check here.<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">I'm setting up the external side as a cluster (of 1 currently), I'd like for my users to be able to sign in as

<a href="mailto:username@domain.edu" target="_blank">username@domain.edu</a> for MRA.<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">dns:<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">expressway-e is <a href="http://expe-cluster1-node1.domain.edu" target="_blank">

expe-cluster1-node1.domain.edu</a><u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">srv = _collab-edge._<a href="http://tls.domain.edu" target="_blank">tls.domain.edu</a> , sips._<a href="http://tcp.domain.edu" target="_blank">tcp.domain.edu</a> both point to the expe-cluster1-node1<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">exp-e cluster name is <a href="http://domain.edu" target="_blank">domain.edu</a><u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">on my CSR i have it set to generate a SAN for FQDN of expressway cluster plus FQDN of this peer, so:<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">DNS:<a href="http://expe-cluster1-node1.domain.edu" target="_blank">expe-cluster1-node1.domain.edu</a><u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">DNS:<a href="http://domain.edu" target="_blank">domain.edu</a><u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">GoDaddy kicks back an error saying "You can not add a SAN that is the same as the domain you are already using."<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">Is my dns/SAN configuration incorrect or is this a deficiency with godaddy (standard UCC cert)? Or did I miss the boat completely (totally possible!)<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal"><br clear="all">

<u></u><u></u></p>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<p class="MsoNormal">-- <u></u><u></u></p>

<div>

<p class="MsoNormal">Ed Leatherman<u></u><u></u></p>

</div>

</div>

</div>

</div></div></div>

</div>

</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Ed Leatherman<br></div>

</div>