[cisco-voip] collab edge dns/SSL cert
Hello everyone! I'm getting an error kicked back from GoDaddy trying to sign my expressway-e cert, looking for a sanity check here. I'm setting up the external side as a cluster (of 1 currently), I'd like for my users to be able to sign in as usern...@domain.edu for MRA. dns: expressway-e is expe-cluster1-node1.domain.edu srv = _collab-edge._tls.domain.edu , sips._tcp.domain.edu both point to the expe-cluster1-node1 exp-e cluster name is domain.edu on my CSR i have it set to generate a SAN for FQDN of expressway cluster plus FQDN of this peer, so: DNS:expe-cluster1-node1.domain.edu DNS:domain.edu GoDaddy kicks back an error saying You can not add a SAN that is the same as the domain you are already using. Is my dns/SAN configuration incorrect or is this a deficiency with godaddy (standard UCC cert)? Or did I miss the boat completely (totally possible!) -- Ed Leatherman ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] collab edge dns/SSL cert
I tried a different CSR with alternate names collab-edge.domain.edu and expe.telecom.domain.edu , without the generic domain.edu, still same error. I'll see what godaddy support tells me. On Mon, Jun 1, 2015 at 10:03 AM, Matthew Loraditch mloradi...@heliontechnologies.com wrote: It could be depending on what exactly was ordered, but I know godaddy supports having the domain as a SAN. I have it on certs I’ve bought in the past month for expressway and it’s actually supposed to be there: http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf See page 8 and 9. You can prefix collab-edge to the domain if you like, but if you are doing XMPP federation you need it anyway. Matthew G. Loraditch – CCNP-Voice, CCNA-RS, CCDA Network Engineer Direct Voice: 443.541.1518 Facebook https://www.facebook.com/heliontech?ref=hl | Twitter https://twitter.com/HelionTech | LinkedIn https://www.linkedin.com/company/helion-technologies?trk=top_nav_home | G+ https://plus.google.com/+Heliontechnologies/posts *From:* Chris Ward (chrward) [mailto:chrw...@cisco.com] *Sent:* Monday, June 1, 2015 9:52 AM *To:* Matthew Loraditch; Ed Leatherman; Cisco VOIP *Subject:* RE: [cisco-voip] collab edge dns/SSL cert I think the problem is requesting your root domain. Some issuers won’t issue root domain certs and the ones that do call them wildcard certs as they cover an entire domain (support for wildcard certs are somewhat limited). For example, if you were to go to https://cisco.com/ rather than https://www.cisco.com/ you would find that the first has an invalid SSL cert as cisco doesn’t have a root domain cert. For the very security savvy, it is considered to be inappropriate to use domain-level certs. Go with just the hostname of the Expressway and potentially an actual alternate hostname if you ever needed to provide an alternate DNS entry to reach the same Expressway. In either case, drop domain.edu. You don’t need it and I suspect that’s that GoDaddy is complaining about. +Chris TME - MediaSense and Unity Connection *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net cisco-voip-boun...@puck.nether.net] *On Behalf Of *Matthew Loraditch *Sent:* Monday, June 01, 2015 9:44 AM *To:* Ed Leatherman; Cisco VOIP *Subject:* Re: [cisco-voip] collab edge dns/SSL cert https://www.sslshopper.com/csr-decoder.html Try dumping the csr in there and see if you see something unexpected. Matthew G. Loraditch – CCNP-Voice, CCNA-RS, CCDA Network Engineer Direct Voice: 443.541.1518 Facebook https://www.facebook.com/heliontech?ref=hl | Twitter https://twitter.com/HelionTech | LinkedIn https://www.linkedin.com/company/helion-technologies?trk=top_nav_home | G+ https://plus.google.com/+Heliontechnologies/posts *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net cisco-voip-boun...@puck.nether.net] *On Behalf Of *Ed Leatherman *Sent:* Monday, June 1, 2015 9:41 AM *To:* Cisco VOIP *Subject:* [cisco-voip] collab edge dns/SSL cert Hello everyone! I'm getting an error kicked back from GoDaddy trying to sign my expressway-e cert, looking for a sanity check here. I'm setting up the external side as a cluster (of 1 currently), I'd like for my users to be able to sign in as usern...@domain.edu for MRA. dns: expressway-e is expe-cluster1-node1.domain.edu srv = _collab-edge._tls.domain.edu , sips._tcp.domain.edu both point to the expe-cluster1-node1 exp-e cluster name is domain.edu on my CSR i have it set to generate a SAN for FQDN of expressway cluster plus FQDN of this peer, so: DNS:expe-cluster1-node1.domain.edu DNS:domain.edu GoDaddy kicks back an error saying You can not add a SAN that is the same as the domain you are already using. Is my dns/SAN configuration incorrect or is this a deficiency with godaddy (standard UCC cert)? Or did I miss the boat completely (totally possible!) -- Ed Leatherman -- Ed Leatherman ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] collab edge dns/SSL cert
https://www.sslshopper.com/csr-decoder.html Try dumping the csr in there and see if you see something unexpected. Matthew G. Loraditch – CCNP-Voice, CCNA-RS, CCDA Network Engineer Direct Voice: 443.541.1518 Facebookhttps://www.facebook.com/heliontech?ref=hl | Twitterhttps://twitter.com/HelionTech | LinkedInhttps://www.linkedin.com/company/helion-technologies?trk=top_nav_home | G+https://plus.google.com/+Heliontechnologies/posts From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Ed Leatherman Sent: Monday, June 1, 2015 9:41 AM To: Cisco VOIP Subject: [cisco-voip] collab edge dns/SSL cert Hello everyone! I'm getting an error kicked back from GoDaddy trying to sign my expressway-e cert, looking for a sanity check here. I'm setting up the external side as a cluster (of 1 currently), I'd like for my users to be able to sign in as usern...@domain.edumailto:usern...@domain.edu for MRA. dns: expressway-e is expe-cluster1-node1.domain.eduhttp://expe-cluster1-node1.domain.edu srv = _collab-edge._tls.domain.eduhttp://tls.domain.edu , sips._tcp.domain.eduhttp://tcp.domain.edu both point to the expe-cluster1-node1 exp-e cluster name is domain.eduhttp://domain.edu on my CSR i have it set to generate a SAN for FQDN of expressway cluster plus FQDN of this peer, so: DNS:expe-cluster1-node1.domain.eduhttp://expe-cluster1-node1.domain.edu DNS:domain.eduhttp://domain.edu GoDaddy kicks back an error saying You can not add a SAN that is the same as the domain you are already using. Is my dns/SAN configuration incorrect or is this a deficiency with godaddy (standard UCC cert)? Or did I miss the boat completely (totally possible!) -- Ed Leatherman ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] collab edge dns/SSL cert
It could be depending on what exactly was ordered, but I know godaddy supports having the domain as a SAN. I have it on certs I’ve bought in the past month for expressway and it’s actually supposed to be there: http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf See page 8 and 9. You can prefix collab-edge to the domain if you like, but if you are doing XMPP federation you need it anyway. Matthew G. Loraditch – CCNP-Voice, CCNA-RS, CCDA Network Engineer Direct Voice: 443.541.1518 Facebookhttps://www.facebook.com/heliontech?ref=hl | Twitterhttps://twitter.com/HelionTech | LinkedInhttps://www.linkedin.com/company/helion-technologies?trk=top_nav_home | G+https://plus.google.com/+Heliontechnologies/posts From: Chris Ward (chrward) [mailto:chrw...@cisco.com] Sent: Monday, June 1, 2015 9:52 AM To: Matthew Loraditch; Ed Leatherman; Cisco VOIP Subject: RE: [cisco-voip] collab edge dns/SSL cert I think the problem is requesting your root domain. Some issuers won’t issue root domain certs and the ones that do call them wildcard certs as they cover an entire domain (support for wildcard certs are somewhat limited). For example, if you were to go to https://cisco.com/ rather than https://www.cisco.com/ you would find that the first has an invalid SSL cert as cisco doesn’t have a root domain cert. For the very security savvy, it is considered to be inappropriate to use domain-level certs. Go with just the hostname of the Expressway and potentially an actual alternate hostname if you ever needed to provide an alternate DNS entry to reach the same Expressway. In either case, drop domain.edu. You don’t need it and I suspect that’s that GoDaddy is complaining about. +Chris TME - MediaSense and Unity Connection From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Matthew Loraditch Sent: Monday, June 01, 2015 9:44 AM To: Ed Leatherman; Cisco VOIP Subject: Re: [cisco-voip] collab edge dns/SSL cert https://www.sslshopper.com/csr-decoder.html Try dumping the csr in there and see if you see something unexpected. Matthew G. Loraditch – CCNP-Voice, CCNA-RS, CCDA Network Engineer Direct Voice: 443.541.1518 Facebookhttps://www.facebook.com/heliontech?ref=hl | Twitterhttps://twitter.com/HelionTech | LinkedInhttps://www.linkedin.com/company/helion-technologies?trk=top_nav_home | G+https://plus.google.com/+Heliontechnologies/posts From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Ed Leatherman Sent: Monday, June 1, 2015 9:41 AM To: Cisco VOIP Subject: [cisco-voip] collab edge dns/SSL cert Hello everyone! I'm getting an error kicked back from GoDaddy trying to sign my expressway-e cert, looking for a sanity check here. I'm setting up the external side as a cluster (of 1 currently), I'd like for my users to be able to sign in as usern...@domain.edumailto:usern...@domain.edu for MRA. dns: expressway-e is expe-cluster1-node1.domain.eduhttp://expe-cluster1-node1.domain.edu srv = _collab-edge._tls.domain.eduhttp://tls.domain.edu , sips._tcp.domain.eduhttp://tcp.domain.edu both point to the expe-cluster1-node1 exp-e cluster name is domain.eduhttp://domain.edu on my CSR i have it set to generate a SAN for FQDN of expressway cluster plus FQDN of this peer, so: DNS:expe-cluster1-node1.domain.eduhttp://expe-cluster1-node1.domain.edu DNS:domain.eduhttp://domain.edu GoDaddy kicks back an error saying You can not add a SAN that is the same as the domain you are already using. Is my dns/SAN configuration incorrect or is this a deficiency with godaddy (standard UCC cert)? Or did I miss the boat completely (totally possible!) -- Ed Leatherman ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] collab edge dns/SSL cert
I think the problem is requesting your root domain. Some issuers won’t issue root domain certs and the ones that do call them wildcard certs as they cover an entire domain (support for wildcard certs are somewhat limited). For example, if you were to go to https://cisco.com/ rather than https://www.cisco.com/ you would find that the first has an invalid SSL cert as cisco doesn’t have a root domain cert. For the very security savvy, it is considered to be inappropriate to use domain-level certs. Go with just the hostname of the Expressway and potentially an actual alternate hostname if you ever needed to provide an alternate DNS entry to reach the same Expressway. In either case, drop domain.edu. You don’t need it and I suspect that’s that GoDaddy is complaining about. +Chris TME - MediaSense and Unity Connection From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Matthew Loraditch Sent: Monday, June 01, 2015 9:44 AM To: Ed Leatherman; Cisco VOIP Subject: Re: [cisco-voip] collab edge dns/SSL cert https://www.sslshopper.com/csr-decoder.html Try dumping the csr in there and see if you see something unexpected. Matthew G. Loraditch – CCNP-Voice, CCNA-RS, CCDA Network Engineer Direct Voice: 443.541.1518 Facebookhttps://www.facebook.com/heliontech?ref=hl | Twitterhttps://twitter.com/HelionTech | LinkedInhttps://www.linkedin.com/company/helion-technologies?trk=top_nav_home | G+https://plus.google.com/+Heliontechnologies/posts From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Ed Leatherman Sent: Monday, June 1, 2015 9:41 AM To: Cisco VOIP Subject: [cisco-voip] collab edge dns/SSL cert Hello everyone! I'm getting an error kicked back from GoDaddy trying to sign my expressway-e cert, looking for a sanity check here. I'm setting up the external side as a cluster (of 1 currently), I'd like for my users to be able to sign in as usern...@domain.edumailto:usern...@domain.edu for MRA. dns: expressway-e is expe-cluster1-node1.domain.eduhttp://expe-cluster1-node1.domain.edu srv = _collab-edge._tls.domain.eduhttp://tls.domain.edu , sips._tcp.domain.eduhttp://tcp.domain.edu both point to the expe-cluster1-node1 exp-e cluster name is domain.eduhttp://domain.edu on my CSR i have it set to generate a SAN for FQDN of expressway cluster plus FQDN of this peer, so: DNS:expe-cluster1-node1.domain.eduhttp://expe-cluster1-node1.domain.edu DNS:domain.eduhttp://domain.edu GoDaddy kicks back an error saying You can not add a SAN that is the same as the domain you are already using. Is my dns/SAN configuration incorrect or is this a deficiency with godaddy (standard UCC cert)? Or did I miss the boat completely (totally possible!) -- Ed Leatherman ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] collab edge dns/SSL cert
Matt had it right with his suggestion of dumping the CSR into the decoder, although I wouldn't have recognized it as a problem. When expressway generates the CSR it is adding a SAN entry that is identical to the CN. So it doesn't seem like having my root domain in there was the problem to begin with. According to the GoDaddy support person that was what was kicking the error - and apparently if you just click through the error it will generate the cert anyway, i'm assuming it will just leave out that offending SAN entry. I'll circle around once we have the verifications done and have a chance to upload it. On Mon, Jun 1, 2015 at 10:32 AM, Ed Leatherman ealeather...@gmail.com wrote: I tried a different CSR with alternate names collab-edge.domain.edu and expe.telecom.domain.edu , without the generic domain.edu, still same error. I'll see what godaddy support tells me. On Mon, Jun 1, 2015 at 10:03 AM, Matthew Loraditch mloradi...@heliontechnologies.com wrote: It could be depending on what exactly was ordered, but I know godaddy supports having the domain as a SAN. I have it on certs I’ve bought in the past month for expressway and it’s actually supposed to be there: http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf See page 8 and 9. You can prefix collab-edge to the domain if you like, but if you are doing XMPP federation you need it anyway. Matthew G. Loraditch – CCNP-Voice, CCNA-RS, CCDA Network Engineer Direct Voice: 443.541.1518 Facebook https://www.facebook.com/heliontech?ref=hl | Twitter https://twitter.com/HelionTech | LinkedIn https://www.linkedin.com/company/helion-technologies?trk=top_nav_home | G+ https://plus.google.com/+Heliontechnologies/posts *From:* Chris Ward (chrward) [mailto:chrw...@cisco.com] *Sent:* Monday, June 1, 2015 9:52 AM *To:* Matthew Loraditch; Ed Leatherman; Cisco VOIP *Subject:* RE: [cisco-voip] collab edge dns/SSL cert I think the problem is requesting your root domain. Some issuers won’t issue root domain certs and the ones that do call them wildcard certs as they cover an entire domain (support for wildcard certs are somewhat limited). For example, if you were to go to https://cisco.com/ rather than https://www.cisco.com/ you would find that the first has an invalid SSL cert as cisco doesn’t have a root domain cert. For the very security savvy, it is considered to be inappropriate to use domain-level certs. Go with just the hostname of the Expressway and potentially an actual alternate hostname if you ever needed to provide an alternate DNS entry to reach the same Expressway. In either case, drop domain.edu. You don’t need it and I suspect that’s that GoDaddy is complaining about. +Chris TME - MediaSense and Unity Connection *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net cisco-voip-boun...@puck.nether.net] *On Behalf Of *Matthew Loraditch *Sent:* Monday, June 01, 2015 9:44 AM *To:* Ed Leatherman; Cisco VOIP *Subject:* Re: [cisco-voip] collab edge dns/SSL cert https://www.sslshopper.com/csr-decoder.html Try dumping the csr in there and see if you see something unexpected. Matthew G. Loraditch – CCNP-Voice, CCNA-RS, CCDA Network Engineer Direct Voice: 443.541.1518 Facebook https://www.facebook.com/heliontech?ref=hl | Twitter https://twitter.com/HelionTech | LinkedIn https://www.linkedin.com/company/helion-technologies?trk=top_nav_home | G+ https://plus.google.com/+Heliontechnologies/posts *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net cisco-voip-boun...@puck.nether.net] *On Behalf Of *Ed Leatherman *Sent:* Monday, June 1, 2015 9:41 AM *To:* Cisco VOIP *Subject:* [cisco-voip] collab edge dns/SSL cert Hello everyone! I'm getting an error kicked back from GoDaddy trying to sign my expressway-e cert, looking for a sanity check here. I'm setting up the external side as a cluster (of 1 currently), I'd like for my users to be able to sign in as usern...@domain.edu for MRA. dns: expressway-e is expe-cluster1-node1.domain.edu srv = _collab-edge._tls.domain.edu , sips._tcp.domain.edu both point to the expe-cluster1-node1 exp-e cluster name is domain.edu on my CSR i have it set to generate a SAN for FQDN of expressway cluster plus FQDN of this peer, so: DNS:expe-cluster1-node1.domain.edu DNS:domain.edu GoDaddy kicks back an error saying You can not add a SAN that is the same as the domain you are already using. Is my dns/SAN configuration incorrect or is this a deficiency with godaddy (standard UCC cert)? Or did I miss the boat completely (totally possible!) -- Ed Leatherman -- Ed Leatherman -- Ed Leatherman ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] collab edge dns/SSL cert
Click through the error. Dont modify the CSR or take out SANs. The fqdn should be in the CN and SAN. I dont know why godaddy complains about that but I just ignore it and things are fine. Justin On Jun 1, 2015 1:49 PM, Ed Leatherman ealeather...@gmail.com wrote: Matt had it right with his suggestion of dumping the CSR into the decoder, although I wouldn't have recognized it as a problem. When expressway generates the CSR it is adding a SAN entry that is identical to the CN. So it doesn't seem like having my root domain in there was the problem to begin with. According to the GoDaddy support person that was what was kicking the error - and apparently if you just click through the error it will generate the cert anyway, i'm assuming it will just leave out that offending SAN entry. I'll circle around once we have the verifications done and have a chance to upload it. On Mon, Jun 1, 2015 at 10:32 AM, Ed Leatherman ealeather...@gmail.com wrote: I tried a different CSR with alternate names collab-edge.domain.edu and expe.telecom.domain.edu , without the generic domain.edu, still same error. I'll see what godaddy support tells me. On Mon, Jun 1, 2015 at 10:03 AM, Matthew Loraditch mloradi...@heliontechnologies.com wrote: It could be depending on what exactly was ordered, but I know godaddy supports having the domain as a SAN. I have it on certs I’ve bought in the past month for expressway and it’s actually supposed to be there: http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf See page 8 and 9. You can prefix collab-edge to the domain if you like, but if you are doing XMPP federation you need it anyway. Matthew G. Loraditch – CCNP-Voice, CCNA-RS, CCDA Network Engineer Direct Voice: 443.541.1518 Facebook https://www.facebook.com/heliontech?ref=hl | Twitter https://twitter.com/HelionTech | LinkedIn https://www.linkedin.com/company/helion-technologies?trk=top_nav_home | G+ https://plus.google.com/+Heliontechnologies/posts *From:* Chris Ward (chrward) [mailto:chrw...@cisco.com] *Sent:* Monday, June 1, 2015 9:52 AM *To:* Matthew Loraditch; Ed Leatherman; Cisco VOIP *Subject:* RE: [cisco-voip] collab edge dns/SSL cert I think the problem is requesting your root domain. Some issuers won’t issue root domain certs and the ones that do call them wildcard certs as they cover an entire domain (support for wildcard certs are somewhat limited). For example, if you were to go to https://cisco.com/ rather than https://www.cisco.com/ you would find that the first has an invalid SSL cert as cisco doesn’t have a root domain cert. For the very security savvy, it is considered to be inappropriate to use domain-level certs. Go with just the hostname of the Expressway and potentially an actual alternate hostname if you ever needed to provide an alternate DNS entry to reach the same Expressway. In either case, drop domain.edu. You don’t need it and I suspect that’s that GoDaddy is complaining about. +Chris TME - MediaSense and Unity Connection *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net cisco-voip-boun...@puck.nether.net] *On Behalf Of *Matthew Loraditch *Sent:* Monday, June 01, 2015 9:44 AM *To:* Ed Leatherman; Cisco VOIP *Subject:* Re: [cisco-voip] collab edge dns/SSL cert https://www.sslshopper.com/csr-decoder.html Try dumping the csr in there and see if you see something unexpected. Matthew G. Loraditch – CCNP-Voice, CCNA-RS, CCDA Network Engineer Direct Voice: 443.541.1518 Facebook https://www.facebook.com/heliontech?ref=hl | Twitter https://twitter.com/HelionTech | LinkedIn https://www.linkedin.com/company/helion-technologies?trk=top_nav_home | G+ https://plus.google.com/+Heliontechnologies/posts *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net cisco-voip-boun...@puck.nether.net] *On Behalf Of *Ed Leatherman *Sent:* Monday, June 1, 2015 9:41 AM *To:* Cisco VOIP *Subject:* [cisco-voip] collab edge dns/SSL cert Hello everyone! I'm getting an error kicked back from GoDaddy trying to sign my expressway-e cert, looking for a sanity check here. I'm setting up the external side as a cluster (of 1 currently), I'd like for my users to be able to sign in as usern...@domain.edu for MRA. dns: expressway-e is expe-cluster1-node1.domain.edu srv = _collab-edge._tls.domain.edu , sips._tcp.domain.edu both point to the expe-cluster1-node1 exp-e cluster name is domain.edu on my CSR i have it set to generate a SAN for FQDN of expressway cluster plus FQDN of this peer, so: DNS:expe-cluster1-node1.domain.edu DNS:domain.edu GoDaddy kicks back an error saying You can not add a SAN that is the same as the domain you are already using. Is my dns/SAN configuration incorrect or is this a deficiency with godaddy (standard UCC cert)? Or did I