Click through the error. Dont modify the CSR or take out SANs. The fqdn should be in the CN and SAN. I dont know why godaddy complains about that but I just ignore it and things are fine.
Justin On Jun 1, 2015 1:49 PM, "Ed Leatherman" <ealeather...@gmail.com> wrote: > Matt had it right with his suggestion of dumping the CSR into the decoder, > although I wouldn't have recognized it as a problem. > > When expressway generates the CSR it is adding a SAN entry that is > identical to the CN. So it doesn't seem like having my root domain in there > was the problem to begin with. According to the GoDaddy support person that > was what was kicking the error - and apparently if you just click through > the error it will generate the cert anyway, i'm assuming it will just leave > out that offending SAN entry. > > I'll circle around once we have the verifications done and have a chance > to upload it. > > On Mon, Jun 1, 2015 at 10:32 AM, Ed Leatherman <ealeather...@gmail.com> > wrote: > >> I tried a different CSR with alternate names collab-edge.domain.edu and >> expe.telecom.domain.edu , without the generic domain.edu, still same >> error. I'll see what godaddy support tells me. >> >> On Mon, Jun 1, 2015 at 10:03 AM, Matthew Loraditch < >> mloradi...@heliontechnologies.com> wrote: >> >>> It could be depending on what exactly was ordered, but I know godaddy >>> supports having the domain as a SAN. I have it on certs I’ve bought in the >>> past month for expressway and it’s actually supposed to be there: >>> >>> >>> >>> >>> http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf >>> >>> >>> >>> See page 8 and 9. You can prefix collab-edge to the domain if you like, >>> but if you are doing XMPP federation you need it anyway. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA >>> Network Engineer >>> Direct Voice: 443.541.1518 >>> >>> Facebook <https://www.facebook.com/heliontech?ref=hl> | Twitter >>> <https://twitter.com/HelionTech> | LinkedIn >>> <https://www.linkedin.com/company/helion-technologies?trk=top_nav_home> >>> | G+ <https://plus.google.com/+Heliontechnologies/posts> >>> >>> >>> >>> *From:* Chris Ward (chrward) [mailto:chrw...@cisco.com] >>> *Sent:* Monday, June 1, 2015 9:52 AM >>> *To:* Matthew Loraditch; Ed Leatherman; Cisco VOIP >>> *Subject:* RE: [cisco-voip] collab edge dns/SSL cert >>> >>> >>> >>> I think the problem is requesting your root domain. Some issuers won’t >>> issue root domain certs and the ones that do call them wildcard certs as >>> they cover an entire domain (support for wildcard certs are somewhat >>> limited). >>> >>> >>> >>> For example, if you were to go to https://cisco.com/ rather than >>> https://www.cisco.com/ you would find that the first has an invalid SSL >>> cert as cisco doesn’t have a root domain cert. >>> >>> >>> >>> For the very security savvy, it is considered to be inappropriate to use >>> domain-level certs. >>> >>> >>> >>> Go with just the hostname of the Expressway and potentially an actual >>> alternate hostname if you ever needed to provide an alternate DNS entry to >>> reach the same Expressway. In either case, drop domain.edu. You don’t >>> need it and I suspect that’s that GoDaddy is complaining about. >>> >>> >>> >>> +Chris >>> >>> TME - MediaSense and Unity Connection >>> >>> >>> >>> *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net >>> <cisco-voip-boun...@puck.nether.net>] *On Behalf Of *Matthew Loraditch >>> *Sent:* Monday, June 01, 2015 9:44 AM >>> *To:* Ed Leatherman; Cisco VOIP >>> *Subject:* Re: [cisco-voip] collab edge dns/SSL cert >>> >>> >>> >>> https://www.sslshopper.com/csr-decoder.html >>> >>> >>> >>> Try dumping the csr in there and see if you see something unexpected. >>> >>> >>> >>> Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA >>> Network Engineer >>> Direct Voice: 443.541.1518 >>> >>> Facebook <https://www.facebook.com/heliontech?ref=hl> | Twitter >>> <https://twitter.com/HelionTech> | LinkedIn >>> <https://www.linkedin.com/company/helion-technologies?trk=top_nav_home> >>> | G+ <https://plus.google.com/+Heliontechnologies/posts> >>> >>> >>> >>> *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net >>> <cisco-voip-boun...@puck.nether.net>] *On Behalf Of *Ed Leatherman >>> *Sent:* Monday, June 1, 2015 9:41 AM >>> *To:* Cisco VOIP >>> *Subject:* [cisco-voip] collab edge dns/SSL cert >>> >>> >>> >>> Hello everyone! >>> >>> >>> >>> I'm getting an error kicked back from GoDaddy trying to sign my >>> expressway-e cert, looking for a sanity check here. >>> >>> >>> >>> I'm setting up the external side as a cluster (of 1 currently), I'd like >>> for my users to be able to sign in as usern...@domain.edu for MRA. >>> >>> >>> >>> dns: >>> >>> expressway-e is expe-cluster1-node1.domain.edu >>> >>> srv = _collab-edge._tls.domain.edu , sips._tcp.domain.edu both point to >>> the expe-cluster1-node1 >>> >>> >>> >>> exp-e cluster name is domain.edu >>> >>> >>> >>> on my CSR i have it set to generate a SAN for FQDN of expressway cluster >>> plus FQDN of this peer, so: >>> >>> DNS:expe-cluster1-node1.domain.edu >>> >>> DNS:domain.edu >>> >>> >>> >>> GoDaddy kicks back an error saying "You can not add a SAN that is the >>> same as the domain you are already using." >>> >>> >>> >>> Is my dns/SAN configuration incorrect or is this a deficiency with >>> godaddy (standard UCC cert)? Or did I miss the boat completely (totally >>> possible!) >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> >>> Ed Leatherman >>> >> >> >> >> -- >> Ed Leatherman >> > > > > -- > Ed Leatherman > > _______________________________________________ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > >
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip