Thanks for the reply and cliffs notes about the setup. My security team has concerns with having port 80 open to facility the Let’s Encrypt process. Documentation states something about allowing the built in protections without giving much info on what those protections are.
I would love to be able to set it and forget it. From: Anthony Holloway <avholloway+cisco-v...@gmail.com> Sent: Friday, April 17, 2020 4:23 PM To: Riley, Sean <sri...@robinsonbradshaw.com> Cc: cisco-voip@puck.nether.net Subject: Re: [cisco-voip] Renewing Expressway E Cert WARNING: External Email ________________________________ This might be an unpopular opinion, but I think using the free certs provided by let's encrypt, coupled with it being automatic from now on, it's just an unbeatable combination. Here are my cliff notes: Reference Document: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_0100.html High Level Steps: 1. Expressway 12.5.7 to avoid ACMEv1 vs ACMEv2 registration issues (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr82346) 2. For your Unified CM registrations domains don’t use parent domain only (E.g., company.com<http://company.com>), switch to CollabEdgeDNS format instead (E.g., collab-edge.company.com<http://collab-edge.company.com>), because you’ll need that in the next step 3. DNS A records for the Expressway-E FQDN and the CM registration domains 4. Upload the root and intermediates for Let’s Encrypt (needed on both Expressway-E and Expressway-C) (certs are linked in documentation) 5. Enable the ACME client on Expressway-E and supply any email address you want to link to this registration (This creates your account with Let’s Encrypt) 6. Generate a new CSR (Server Certificate Only, Domain Cert Was Not Needed) 7. Click button to Submit CSR to ACME 8. Click button to Deploy New Certificate on Expressway-E (documentation states this is non-service impacting) 9. Setup the automatic scheduler so you never have to deal with this again 10. Sit back, relax and enjoy free shit On Fri, Apr 17, 2020 at 1:43 PM Riley, Sean <sri...@robinsonbradshaw.com<mailto:sri...@robinsonbradshaw.com>> wrote: We had our Cisco partner setup our Expressways a couple of years ago. It is a cluster with 2 E’s and 2 C’s currently at v 12.5.7 using for MRA. I have been managing them, installing updates, troubleshooting etc. The public Edge cert is up for renewal. Can anyone provide advice on renewing this cert? I am planning on just renewing with the same cert provider, but was interested in if there is anything to watch out for. Example, will there be a service interruption when replacing the cert? Or just install the new cert/pk and rest easy? Thanks in advance. Sean. _______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
