05-26-2021 11:39 AM
I looked at the new setting in the Network | certificates , settings : FQDN Compliance Checked. This is disabled by default.
But when I enable it in our acceptance environment, it gives me a validation error
Validation Error: A valid domain name is a string that must match the following rules: - A label is a set of characters or numbers or dashes - The first and last character of a label must be a letter or a number - The last label cannot be all numbers - Must be having at least domain and top level domain (example: cisco.com) - Must not be only top level domain (example: .com) - Must not be only hostname (example: www) - wildcard "*" should be first character followed by "." - Must be resolvable
I do not understand this . Our common names in our certs are resolvable . I presume the common name is checked here ?
In our example a certificate with common name : cmail120.acc.xxx.com ( replaced the ... with xxx )
nslookup on our appliance gives us for this common name 3 ip's ( so it resolves ) :
A=193.x.x.1 TTL=3h 54m 4s
A=193.x.x.2 TTL=3h 54m 4s
A=193.x.x.3 TTL=3h 54m 4s
ALso resolves on external dns lookup
So a bit confused what this fqdn validation means/does and why it fails
Thanks
06-27-2021 08:11 PM
Hey rolelael,
It is my understanding this FQDN validator in the certificates itself checks the CN/SAN portion.
- Checks if it's a valid FQDN in the CN and/or SAN entries (IE: name formatting)
-Checks if the CN / SAN entries resolves to any IP
For the certificate you're checking; can you confirm these items?
Thanks,
Mathew
06-29-2021 12:14 AM
I'm sure the formatting is correct but it gives me :
Validation Error: A valid domain name is a string that must match the following rules: - A label is a set of characters or numbers or dashes - The first and last character of a label must be a letter or a number - The last label cannot be all numbers - Must be having at least domain and top level domain (example: cisco.com) - Must not be only top level domain (example: .com) - Must not be only hostname (example: www) - wildcard "*" should be first character followed by "." - Must be resolvable
certificate name ( label ) cmail-o365
common name : cmail120.xxx.yyy.com
domains : cmail120.xx.yyy.com,mail122.xxx.yyy.com,mail140.xxx.yyy.com,mail123.xxx.yyy.com
All is resolvable on the seg istself... very strange
06-29-2021 12:25 AM
Yep that is a bit strange that there's the error.
I wonder if it's perhaps an unintended behaviour; if so we would need TAC to validate.
Is this a self signed or CA signed cert if I can ask?
Thanks,
Mathew
06-29-2021 12:27 AM
CA signed -> DigiCert
06-29-2021 04:42 PM
Hey Rolelael,
Okay - that's indeed an issue likely on the device I would imagine.
I can't see any issues immediately from the outputs you shared that would qualify as an issue on FQDN compliance.
My only comments at this point is to engage Cisco TAC to ensure the functionality is working as expected.
Thanks,
Mathew
07-20-2022 09:19 AM
I believe the ESA is attempting to validate fqdn of intermediate certificates as well, because I'm able to pass the validation once there is no intermediate certificate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide