Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2592
Views
0
Helpful
6
Replies

AsyncOS 14 & FQDN compliance checked ( in certificates )

rolelael
Level 1
Level 1

‎05-26-2021 11:39 AM

I looked at the new setting in the Network | certificates , settings : FQDN Compliance Checked. This is disabled by default.

 

But when I enable it in our acceptance environment, it gives me a validation error

 

Validation Error: A valid domain name is a string that must match the following rules: - A label is a set of characters or numbers or dashes - The first and last character of a label must be a letter or a number - The last label cannot be all numbers - Must be having at least domain and top level domain (example: cisco.com) - Must not be only top level domain (example: .com) - Must not be only hostname (example: www) - wildcard "*" should be first character followed by "." - Must be resolvable

 

I do not understand this . Our common names in our certs are resolvable . I presume the common name is checked here ?

 

In our example a certificate with common name : cmail120.acc.xxx.com   ( replaced the ... with xxx )

 

nslookup on our appliance gives us for this common name 3 ip's ( so it resolves ) :

 

A=193.x.x.1 TTL=3h 54m 4s
A=193.x.x.2 TTL=3h 54m 4s
A=193.x.x.3 TTL=3h 54m 4s

ALso resolves on external dns lookup

 

So a bit confused what this fqdn validation means/does and why it fails

 

Thanks

 

Labels:
0 Helpful
6 Replies 6

Mathew Huynh
Cisco Employee
Cisco Employee

‎06-27-2021 08:11 PM

Hey rolelael,


It is my understanding this FQDN validator in the certificates itself checks the CN/SAN portion.

 

- Checks if it's a valid FQDN in the CN and/or SAN entries (IE: name formatting)

-Checks if the CN / SAN entries resolves to any IP

 

For the certificate you're checking; can you confirm these items?

 

Thanks,

Mathew

 

0 Helpful

rolelael
Level 1
Level 1
In response to Mathew Huynh

‎06-29-2021 12:14 AM

I'm sure the formatting is correct but it gives me :

 

Validation Error: A valid domain name is a string that must match the following rules: - A label is a set of characters or numbers or dashes - The first and last character of a label must be a letter or a number - The last label cannot be all numbers - Must be having at least domain and top level domain (example: cisco.com) - Must not be only top level domain (example: .com) - Must not be only hostname (example: www) - wildcard "*" should be first character followed by "." - Must be resolvable

 

certificate name ( label ) cmail-o365

 

common name : cmail120.xxx.yyy.com

 

domains : cmail120.xx.yyy.com,mail122.xxx.yyy.com,mail140.xxx.yyy.com,mail123.xxx.yyy.com

 

All is resolvable on the seg istself... very strange

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to rolelael

‎06-29-2021 12:25 AM

Yep that is a bit strange that there's the error.

I wonder if it's perhaps an unintended behaviour; if so we would need TAC to validate.

 

Is this a self signed or CA signed cert if I can ask?

 

Thanks,

Mathew

0 Helpful

rolelael
Level 1
Level 1
In response to Mathew Huynh

‎06-29-2021 12:27 AM

CA signed -> DigiCert

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee

‎06-29-2021 04:42 PM

Hey Rolelael,

 

Okay - that's indeed an issue likely on the device I would imagine.

I can't see any issues immediately from the outputs you shared that would qualify as an issue on FQDN compliance.

 

My only comments at this point is to engage Cisco TAC to ensure the functionality is working as expected.

 

Thanks,

Mathew

0 Helpful

Igor155
Level 1
Level 1

‎07-20-2022 09:19 AM

I believe the ESA is attempting to validate fqdn of intermediate certificates as well, because I'm able to pass the validation once there is no intermediate certificate.

0 Helpful
Customers Also Viewed These Support Documents