RE: Cisco Expressway Certificate

Hello,

My design has currently the following variables:

Clustername: cluster.customer.org

Node 1: node1.customer.org

Node 2: node2.customer.org

therefore the public certificate has to have the following settings:

Node1: CN=node1.customer.org SAN= node1.customer.org,cluster.customer.org

Node2: CN=node2.customer.org SAN=node2.customer.org,cluster.customer.org

Unified Communications Registration Domain : customer.org

All DNS Records are created.
cluster.customer.org = ,

node1.customer.org =

node2.customer.org =

When signing with ACME on node1 i get connection refused error from node2.customer.org, cluster.customer.org. It is not allowing me sign with SAN.

Please Help.

Regards
Faisal

Hi @faisal.memon

what does that mean? What’s a “signing with ACME”?

Where are all of your answers of the standard template?

Hi Juergen,
Cisco Expressway Series supports ACME protocol (Automate Certificate Management Environment) which enables automatic certificate signing and deployment from Let’s Encrypt. I am using Let’s Encrypt for Cisco Jabber Mobile Remote access.
Hope this helps. I don’t know how to answer questions on standard template.

Regards
Faisal

Your domain name is required to check your configuration.

Your question is unknown. What’s the problem? What are your error messages?

What means

Hello Juergen,
The domain name is colheli.com
cluster name is edgecluster.colheli.com
Node 1 : edge1.colheli.com
Node 2 : edge2.colheli.com.

On CSR,
I use edgecluster.colheli.com,
SAN edge1.colheli.com,edge2.colheli.com,colheli.com.

when signing certificate on edge1.colheli.com i get error message connection refused by edgecluster.colheli.com.

If i remove SAN and sign certificate with edge1.colheli.com it works. But with SAN it doesnot.

Regards
Faisal
Regards

Checking one of your domains there is no answer - https://check-your-website.server-daten.de/?q=edge1.colheli.com

There are some certificates created:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-02-04 2020-05-04 edge1.colheli.com, edgecluster.colheli.com - 2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-02-04 2020-05-04 edge1.colheli.com - 1 entries duplicate nr. 2
Let’s Encrypt Authority X3 2020-02-03 2020-05-03 colheli.com, edge1.colheli.com, edgecluster.colheli.com - 3 entries duplicate nr. 2
Let’s Encrypt Authority X3 2020-02-03 2020-05-03 colheli.com, edge1.colheli.com, edgecluster.colheli.com - 3 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-02-03 2020-05-03 edge1.colheli.com - 1 entries duplicate nr. 1

But checking your urls - Grade V:

Domainname Http-Status redirect Sec. G
http://edge1.colheli.com/
107.1.156.245 -2 1.587 V
ConnectFailure - Unable to connect to the remote server
https://edge1.colheli.com/
107.1.156.245 -2 1.583 V
ConnectFailure - Unable to connect to the remote server
http://edge1.colheli.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
107.1.156.245 -2 1.583 V
ConnectFailure - Unable to connect to the remote server
Visible Content:

You need a working port 80 / http. Same with all of your other domains.

But that’s a configuration problem of your system you have to fix before you can create a certificate.

PS: The edge2 has the “next” ip address. But the non-www has a completely different ip address.

Is there a redirect to one of the edge-Domains?

Normally: If you create a SAN-certificate via http-validation, all domains have the same ip address. I don’t know if your client supports such a configuration with different ip addresses.

It’s possible to create redirects. But I don’t see if this is your setup.

Hi Juergen,
Thank you for your reply. When i create certificate without SAN on edge1.colheli.com
it is successful. I face problem when i use clustername and name of peer which is edgecluster.colheli.com and edge2.colheli.com.
I am following steps are per this document.
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X12-5.pdf

Regards

Please read the shared output.

You have created a certificate with

edge1.colheli.com, edgecluster.colheli.com

So the certificate creation has already worked.

So do that again with edge2.

Hi Juergen,
I want to add common name edge2.colheli.com in edge1 certificate and that is where it is failing.
I really appreciate your help…
Regards

Please read my answer and check that.

If not, it’s not possible.

Thank you Juergen. I will check and update.

Regards

An alternative could be creating HTTP 301 redirects from /.well-known/acme-challenge on one host to /.well-known/acme-challenge on another, since Let’s Encrypt validation will follow this redirect.

1 Like

Thank you Schoen. I don’t know how to do that.

Regards

Thank you @JuergenAuer and @schoen. I got this working.

Regards

Hi @faisal.memon, can you let me know the solution… how you got it to work?

Hi Rohan
DNS A records are key for this to work. I got all required A records configured and it worked.

Regards

Faisal

To what IP did u resolve the cluster name? I mean which peer in the cluster?

For cluster i created CNAME record pointing to expressway edge.

Regards

Faisal

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.