Solved: Expressway E for MRA with ACME/LetsEncrypt

Clifford McGlamry · ‎09-19-2022

According to the Expressway Certificate usage guide, the Expressway E on an MRA setup needs:

1. Its own FQDN

2. The name of the registration domain

In order to get this working with LetsEncrypt, I have to have DNS a records for expressway.mydomain.com and mydomain.com pointing to the IP address of the Expressway E.

How the heck are you going to pull this off? That registration domain is also the company root domain, and it's pointed elsewhere. This cannot be a unique problem. How do you work around it? Or will it work with just the FQDN???

b.winter · ‎09-20-2022

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X14-0-2/cert_creation_use/exwy_b_certificate-creation-and-use-deployment-guide-x1402/exwy_b_certificate-creation-use-deployment-guide_chapter_0100.html

View solution in original post

b.winter · ‎09-20-2022

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X14-0-2/cert_creation_use/exwy_b_certificate-creation-and-use-deployment-guide-x1402/exwy_b_certificate-creation-use-deployment-guide_chapter_0100.html

Clifford McGlamry · ‎09-20-2022

That did it. I don't recall seeing that caveat in the 12.7 guides.

b.winter · ‎09-20-2022

Glad to hear that it worked.

"I don't recall seeing that caveat in the 12.7 guides." - Yes/No. That kind of info was already there since ages. But I didn't really had an impact anywhere else than on the certificate's SAN entries.
You could choose to include the registration domain either as it is (e.g. "cisco.com") or with the prefix "collab-edge" (e.g. "collab-edge.cisco.com"). Depending on, if it is allowed by the CA to include the public domain.
But there never had to be a DNS record for that in regards to Expressway.