RE: Cisco Expressway Certificate


My design has currently the following variables:


Node 1:

Node 2:

therefore the public certificate has to have the following settings:

Node1: SAN=,


Unified Communications Registration Domain :

All DNS Records are created. = , = =

When signing with ACME on node1 i get connection refused error from, It is not allowing me sign with SAN.

Please Help.


Hi @faisal.memon

what does that mean? What’s a “signing with ACME”?

Where are all of your answers of the standard template?

Hi Juergen,
Cisco Expressway Series supports ACME protocol (Automate Certificate Management Environment) which enables automatic certificate signing and deployment from Let’s Encrypt. I am using Let’s Encrypt for Cisco Jabber Mobile Remote access.
Hope this helps. I don’t know how to answer questions on standard template.


Your domain name is required to check your configuration.

Your question is unknown. What’s the problem? What are your error messages?

What means

Hello Juergen,
The domain name is
cluster name is
Node 1 :
Node 2 :

I use,

when signing certificate on i get error message connection refused by

If i remove SAN and sign certificate with it works. But with SAN it doesnot.


Checking one of your domains there is no answer -

There are some certificates created:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-02-04 2020-05-04, - 2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-02-04 2020-05-04 - 1 entries duplicate nr. 2
Let’s Encrypt Authority X3 2020-02-03 2020-05-03,, - 3 entries duplicate nr. 2
Let’s Encrypt Authority X3 2020-02-03 2020-05-03,, - 3 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-02-03 2020-05-03 - 1 entries duplicate nr. 1

But checking your urls - Grade V:

Domainname Http-Status redirect Sec. G -2 1.587 V
ConnectFailure - Unable to connect to the remote server -2 1.583 V
ConnectFailure - Unable to connect to the remote server -2 1.583 V
ConnectFailure - Unable to connect to the remote server
Visible Content:

You need a working port 80 / http. Same with all of your other domains.

But that’s a configuration problem of your system you have to fix before you can create a certificate.

PS: The edge2 has the “next” ip address. But the non-www has a completely different ip address.

Is there a redirect to one of the edge-Domains?

Normally: If you create a SAN-certificate via http-validation, all domains have the same ip address. I don’t know if your client supports such a configuration with different ip addresses.

It’s possible to create redirects. But I don’t see if this is your setup.

Hi Juergen,
Thank you for your reply. When i create certificate without SAN on
it is successful. I face problem when i use clustername and name of peer which is and
I am following steps are per this document.


Please read the shared output.

You have created a certificate with,

So the certificate creation has already worked.

So do that again with edge2.

Hi Juergen,
I want to add common name in edge1 certificate and that is where it is failing.
I really appreciate your help…

Please read my answer and check that.

If not, it’s not possible.

Thank you Juergen. I will check and update.


An alternative could be creating HTTP 301 redirects from /.well-known/acme-challenge on one host to /.well-known/acme-challenge on another, since Let’s Encrypt validation will follow this redirect.

1 Like

Thank you Schoen. I don’t know how to do that.


Thank you @JuergenAuer and @schoen. I got this working.


Hi @faisal.memon, can you let me know the solution… how you got it to work?

Hi Rohan
DNS A records are key for this to work. I got all required A records configured and it worked.



To what IP did u resolve the cluster name? I mean which peer in the cluster?

For cluster i created CNAME record pointing to expressway edge.



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.