cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.2.0-616
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.2.0-203
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1696
Views
0
Helpful
5
Replies
rolelael
Beginner

AsyncOS 14 & FQDN compliance checked ( in certificates )

I looked at the new setting in the Network | certificates , settings : FQDN Compliance Checked. This is disabled by default.

 

But when I enable it in our acceptance environment, it gives me a validation error

 

Validation Error: A valid domain name is a string that must match the following rules: - A label is a set of characters or numbers or dashes - The first and last character of a label must be a letter or a number - The last label cannot be all numbers - Must be having at least domain and top level domain (example: cisco.com) - Must not be only top level domain (example: .com) - Must not be only hostname (example: www) - wildcard "*" should be first character followed by "." - Must be resolvable

 

I do not understand this . Our common names in our certs are resolvable . I presume the common name is checked here ?

 

In our example a certificate with common name : cmail120.acc.xxx.com   ( replaced the ... with xxx )

 

nslookup on our appliance gives us for this common name 3 ip's ( so it resolves ) :

 

A=193.x.x.1 TTL=3h 54m 4s
A=193.x.x.2 TTL=3h 54m 4s
A=193.x.x.3 TTL=3h 54m 4s

ALso resolves on external dns lookup

 

So a bit confused what this fqdn validation means/does and why it fails

 

Thanks

 

5 REPLIES 5
Mathew Huynh
Cisco Employee

Hey rolelael,


It is my understanding this FQDN validator in the certificates itself checks the CN/SAN portion.

 

- Checks if it's a valid FQDN in the CN and/or SAN entries (IE: name formatting)

-Checks if the CN / SAN entries resolves to any IP

 

For the certificate you're checking; can you confirm these items?

 

Thanks,

Mathew

 

I'm sure the formatting is correct but it gives me :

 

Validation Error: A valid domain name is a string that must match the following rules: - A label is a set of characters or numbers or dashes - The first and last character of a label must be a letter or a number - The last label cannot be all numbers - Must be having at least domain and top level domain (example: cisco.com) - Must not be only top level domain (example: .com) - Must not be only hostname (example: www) - wildcard "*" should be first character followed by "." - Must be resolvable

 

certificate name ( label ) cmail-o365

 

common name : cmail120.xxx.yyy.com

 

domains : cmail120.xx.yyy.com,mail122.xxx.yyy.com,mail140.xxx.yyy.com,mail123.xxx.yyy.com

 

All is resolvable on the seg istself... very strange

Yep that is a bit strange that there's the error.

I wonder if it's perhaps an unintended behaviour; if so we would need TAC to validate.

 

Is this a self signed or CA signed cert if I can ask?

 

Thanks,

Mathew

CA signed -> DigiCert

Mathew Huynh
Cisco Employee

Hey Rolelael,

 

Okay - that's indeed an issue likely on the device I would imagine.

I can't see any issues immediately from the outputs you shared that would qualify as an issue on FQDN compliance.

 

My only comments at this point is to engage Cisco TAC to ensure the functionality is working as expected.

 

Thanks,

Mathew

Create
Recognize Your Peers
Content for Community-Ad