I tried a different CSR with alternate names collab-edge.domain.edu and expe.telecom.domain.edu , without the generic domain.edu, still same error. I'll see what godaddy support tells me.
On Mon, Jun 1, 2015 at 10:03 AM, Matthew Loraditch < mloradi...@heliontechnologies.com> wrote: > It could be depending on what exactly was ordered, but I know godaddy > supports having the domain as a SAN. I have it on certs I’ve bought in the > past month for expressway and it’s actually supposed to be there: > > > > > http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf > > > > See page 8 and 9. You can prefix collab-edge to the domain if you like, > but if you are doing XMPP federation you need it anyway. > > > > > > > > > > Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA > Network Engineer > Direct Voice: 443.541.1518 > > Facebook <https://www.facebook.com/heliontech?ref=hl> | Twitter > <https://twitter.com/HelionTech> | LinkedIn > <https://www.linkedin.com/company/helion-technologies?trk=top_nav_home> | > G+ <https://plus.google.com/+Heliontechnologies/posts> > > > > *From:* Chris Ward (chrward) [mailto:chrw...@cisco.com] > *Sent:* Monday, June 1, 2015 9:52 AM > *To:* Matthew Loraditch; Ed Leatherman; Cisco VOIP > *Subject:* RE: [cisco-voip] collab edge dns/SSL cert > > > > I think the problem is requesting your root domain. Some issuers won’t > issue root domain certs and the ones that do call them wildcard certs as > they cover an entire domain (support for wildcard certs are somewhat > limited). > > > > For example, if you were to go to https://cisco.com/ rather than > https://www.cisco.com/ you would find that the first has an invalid SSL > cert as cisco doesn’t have a root domain cert. > > > > For the very security savvy, it is considered to be inappropriate to use > domain-level certs. > > > > Go with just the hostname of the Expressway and potentially an actual > alternate hostname if you ever needed to provide an alternate DNS entry to > reach the same Expressway. In either case, drop domain.edu. You don’t > need it and I suspect that’s that GoDaddy is complaining about. > > > > +Chris > > TME - MediaSense and Unity Connection > > > > *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net > <cisco-voip-boun...@puck.nether.net>] *On Behalf Of *Matthew Loraditch > *Sent:* Monday, June 01, 2015 9:44 AM > *To:* Ed Leatherman; Cisco VOIP > *Subject:* Re: [cisco-voip] collab edge dns/SSL cert > > > > https://www.sslshopper.com/csr-decoder.html > > > > Try dumping the csr in there and see if you see something unexpected. > > > > Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA > Network Engineer > Direct Voice: 443.541.1518 > > Facebook <https://www.facebook.com/heliontech?ref=hl> | Twitter > <https://twitter.com/HelionTech> | LinkedIn > <https://www.linkedin.com/company/helion-technologies?trk=top_nav_home> | > G+ <https://plus.google.com/+Heliontechnologies/posts> > > > > *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net > <cisco-voip-boun...@puck.nether.net>] *On Behalf Of *Ed Leatherman > *Sent:* Monday, June 1, 2015 9:41 AM > *To:* Cisco VOIP > *Subject:* [cisco-voip] collab edge dns/SSL cert > > > > Hello everyone! > > > > I'm getting an error kicked back from GoDaddy trying to sign my > expressway-e cert, looking for a sanity check here. > > > > I'm setting up the external side as a cluster (of 1 currently), I'd like > for my users to be able to sign in as usern...@domain.edu for MRA. > > > > dns: > > expressway-e is expe-cluster1-node1.domain.edu > > srv = _collab-edge._tls.domain.edu , sips._tcp.domain.edu both point to > the expe-cluster1-node1 > > > > exp-e cluster name is domain.edu > > > > on my CSR i have it set to generate a SAN for FQDN of expressway cluster > plus FQDN of this peer, so: > > DNS:expe-cluster1-node1.domain.edu > > DNS:domain.edu > > > > GoDaddy kicks back an error saying "You can not add a SAN that is the same > as the domain you are already using." > > > > Is my dns/SAN configuration incorrect or is this a deficiency with godaddy > (standard UCC cert)? Or did I miss the boat completely (totally possible!) > > > > > > > > > > > -- > > Ed Leatherman > -- Ed Leatherman
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip