<p dir="ltr">Click through the error.  Dont modify the CSR or take out SANs.   The fqdn should be in the CN and SAN.  I dont know why godaddy complains about that but I just ignore it and things are fine.</p>

<p dir="ltr">Justin</p>

<div class="gmail_quote">On Jun 1, 2015 1:49 PM, "Ed Leatherman" <<a href="mailto:ealeatherman@gmail.com">ealeatherman@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Matt had it right with his suggestion of dumping the CSR into the decoder, although I wouldn't have recognized it as a problem.<div><br></div><div>When expressway generates the CSR it is adding a SAN entry that is identical to the CN. So it doesn't seem like having my root domain in there was the problem to begin with. According to the GoDaddy support person that was what was kicking the error - and apparently if you just click through the error it will generate the cert anyway, i'm assuming it will just leave out that offending SAN entry.</div><div><br></div><div>I'll circle around once we have the verifications done and have a chance to upload it.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 1, 2015 at 10:32 AM, Ed Leatherman <span dir="ltr"><<a href="mailto:ealeatherman@gmail.com" target="_blank">ealeatherman@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I tried a different CSR with alternate names <a href="http://collab-edge.domain.edu" target="_blank">collab-edge.domain.edu</a> and <a href="http://expe.telecom.domain.edu" target="_blank">expe.telecom.domain.edu</a> , without the generic <a href="http://domain.edu" target="_blank">domain.edu</a>, still same error. I'll see what godaddy support tells me.</div><div class="gmail_extra"><div><div><br><div class="gmail_quote">On Mon, Jun 1, 2015 at 10:03 AM, Matthew Loraditch <span dir="ltr"><<a href="mailto:MLoraditch@heliontechnologies.com" target="_blank">MLoraditch@heliontechnologies.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div lang="EN-US" link="blue" vlink="purple">

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">It could be depending on what exactly was ordered, but I know godaddy supports having the domain as a SAN. I have it on certs I’ve bought in the past month for

 expressway and it’s actually supposed to be there:<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf" target="_blank">http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf</a><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">See page 8 and 9. You can prefix collab-edge to the domain if you like, but if you are doing XMPP federation you need it anyway.<u></u><u></u></span></p><span>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA<br>

Network Engineer<br>

Direct Voice: <a href="tel:443.541.1518" value="+14435411518" target="_blank">443.541.1518</a></span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><br>

<br>

<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://www.facebook.com/heliontech?ref=hl" target="_blank"><span style="font-size:8.0pt">Facebook</span></a></span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1f497d">

 | </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://twitter.com/HelionTech" target="_blank"><span style="font-size:8.0pt">Twitter</span></a></span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1f497d">

 | </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://www.linkedin.com/company/helion-technologies?trk=top_nav_home" target="_blank"><span style="font-size:8.0pt">LinkedIn</span></a></span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1f497d">

 | </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://plus.google.com/+Heliontechnologies/posts" target="_blank"><span style="font-size:8.0pt">G+</span></a><u></u><u></u></span></p>

</div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

</span><div>

<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Chris Ward (chrward) [mailto:<a href="mailto:chrward@cisco.com" target="_blank">chrward@cisco.com</a>]

<br>

<b>Sent:</b> Monday, June 1, 2015 9:52 AM<br>

<b>To:</b> Matthew Loraditch; Ed Leatherman; Cisco VOIP<br>

<b>Subject:</b> RE: [cisco-voip] collab edge dns/SSL cert<u></u><u></u></span></p>

</div>

</div><div><div>

<p class="MsoNormal"><u></u> <u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I think the problem is requesting your root domain. Some issuers won’t issue root domain certs and the ones that do call them wildcard certs as they cover an

 entire domain (support for wildcard certs are somewhat limited). <u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">For example, if you were to go to

<a href="https://cisco.com/" target="_blank">https://cisco.com/</a> rather than <a href="https://www.cisco.com/" target="_blank">

https://www.cisco.com/</a> you would find that the first has an invalid SSL cert as cisco doesn’t have a root domain cert.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">For the very security savvy, it is considered to be inappropriate to use domain-level certs.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Go with just the hostname of the Expressway and potentially an actual alternate hostname if you ever needed to provide an alternate DNS entry to reach the same

 Expressway. In either case, drop <a href="http://domain.edu" target="_blank">domain.edu</a>. You don’t need it and I suspect that’s that GoDaddy is complaining about.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546a">+Chris<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546a">TME - MediaSense and Unity Connection<u></u><u></u></span></p>

</div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<div>

<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> cisco-voip [<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">mailto:cisco-voip-bounces@puck.nether.net</a>]

<b>On Behalf Of </b>Matthew Loraditch<br>

<b>Sent:</b> Monday, June 01, 2015 9:44 AM<br>

<b>To:</b> Ed Leatherman; Cisco VOIP<br>

<b>Subject:</b> Re: [cisco-voip] collab edge dns/SSL cert<u></u><u></u></span></p>

</div>

</div>

<p class="MsoNormal"><u></u> <u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://www.sslshopper.com/csr-decoder.html" target="_blank">https://www.sslshopper.com/csr-decoder.html</a><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Try dumping the csr in there and see if you see something unexpected.

<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA<br>

Network Engineer<br>

Direct Voice: <a href="tel:443.541.1518" value="+14435411518" target="_blank">443.541.1518</a></span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://www.facebook.com/heliontech?ref=hl" target="_blank"><span style="font-size:8.0pt">Facebook</span></a></span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1f497d">

 | </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://twitter.com/HelionTech" target="_blank"><span style="font-size:8.0pt">Twitter</span></a></span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1f497d">

 | </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://www.linkedin.com/company/helion-technologies?trk=top_nav_home" target="_blank"><span style="font-size:8.0pt">LinkedIn</span></a></span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#1f497d">

 | </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://plus.google.com/+Heliontechnologies/posts" target="_blank"><span style="font-size:8.0pt">G+</span></a><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> cisco-voip [<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">mailto:cisco-voip-bounces@puck.nether.net</a>]

<b>On Behalf Of </b>Ed Leatherman<br>

<b>Sent:</b> Monday, June 1, 2015 9:41 AM<br>

<b>To:</b> Cisco VOIP<br>

<b>Subject:</b> [cisco-voip] collab edge dns/SSL cert<u></u><u></u></span></p>

<p class="MsoNormal"><u></u> <u></u></p>

<div>

<p class="MsoNormal">Hello everyone!<u></u><u></u></p>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">I'm getting an error kicked back from GoDaddy trying to sign my expressway-e cert, looking for a sanity check here.<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">I'm setting up the external side as a cluster (of 1 currently), I'd like for my users to be able to sign in as

<a href="mailto:username@domain.edu" target="_blank">username@domain.edu</a> for MRA.<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">dns:<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">expressway-e is <a href="http://expe-cluster1-node1.domain.edu" target="_blank">

expe-cluster1-node1.domain.edu</a><u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">srv = _collab-edge._<a href="http://tls.domain.edu" target="_blank">tls.domain.edu</a> , sips._<a href="http://tcp.domain.edu" target="_blank">tcp.domain.edu</a> both point to the expe-cluster1-node1<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">exp-e cluster name is <a href="http://domain.edu" target="_blank">domain.edu</a><u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">on my CSR i have it set to generate a SAN for FQDN of expressway cluster plus FQDN of this peer, so:<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">DNS:<a href="http://expe-cluster1-node1.domain.edu" target="_blank">expe-cluster1-node1.domain.edu</a><u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">DNS:<a href="http://domain.edu" target="_blank">domain.edu</a><u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">GoDaddy kicks back an error saying "You can not add a SAN that is the same as the domain you are already using."<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">Is my dns/SAN configuration incorrect or is this a deficiency with godaddy (standard UCC cert)? Or did I miss the boat completely (totally possible!)<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal"><br clear="all">

<u></u><u></u></p>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<p class="MsoNormal">-- <u></u><u></u></p>

<div>

<p class="MsoNormal">Ed Leatherman<u></u><u></u></p>

</div>

</div>

</div>

</div></div></div>

</div>

</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div>Ed Leatherman<br></div>

</font></span></div>

</blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Ed Leatherman<br></div>

</div>

<br>_______________________________________________<br>

cisco-voip mailing list<br>

<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>

<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>

<br></blockquote></div>