AsyncOS 14 & FQDN compliance checked ( in certificates )

rolelael · ‎05-26-2021

I looked at the new setting in the Network | certificates , settings : FQDN Compliance Checked. This is disabled by default.

But when I enable it in our acceptance environment, it gives me a validation error

Validation Error: A valid domain name is a string that must match the following rules: - A label is a set of characters or numbers or dashes - The first and last character of a label must be a letter or a number - The last label cannot be all numbers - Must be having at least domain and top level domain (example: cisco.com) - Must not be only top level domain (example: .com) - Must not be only hostname (example: www) - wildcard "*" should be first character followed by "." - Must be resolvable

I do not understand this . Our common names in our certs are resolvable . I presume the common name is checked here ?

In our example a certificate with common name : cmail120.acc.xxx.com ( replaced the ... with xxx )

nslookup on our appliance gives us for this common name 3 ip's ( so it resolves ) :

A=193.x.x.1 TTL=3h 54m 4s
A=193.x.x.2 TTL=3h 54m 4s
A=193.x.x.3 TTL=3h 54m 4s

ALso resolves on external dns lookup

So a bit confused what this fqdn validation means/does and why it fails

Thanks

Mathew Huynh · ‎06-27-2021

Hey rolelael,

It is my understanding this FQDN validator in the certificates itself checks the CN/SAN portion.

- Checks if it's a valid FQDN in the CN and/or SAN entries (IE: name formatting)

-Checks if the CN / SAN entries resolves to any IP

For the certificate you're checking; can you confirm these items?

Thanks,

Mathew

rolelael · ‎06-29-2021

I'm sure the formatting is correct but it gives me :

Validation Error: A valid domain name is a string that must match the following rules: - A label is a set of characters or numbers or dashes - The first and last character of a label must be a letter or a number - The last label cannot be all numbers - Must be having at least domain and top level domain (example: cisco.com) - Must not be only top level domain (example: .com) - Must not be only hostname (example: www) - wildcard "*" should be first character followed by "." - Must be resolvable

certificate name ( label ) cmail-o365

common name : cmail120.xxx.yyy.com

domains : cmail120.xx.yyy.com,mail122.xxx.yyy.com,mail140.xxx.yyy.com,mail123.xxx.yyy.com

All is resolvable on the seg istself... very strange

Mathew Huynh · ‎06-29-2021

Yep that is a bit strange that there's the error.

I wonder if it's perhaps an unintended behaviour; if so we would need TAC to validate.

Is this a self signed or CA signed cert if I can ask?

Thanks,

Mathew

rolelael · ‎06-29-2021

CA signed -> DigiCert

Mathew Huynh · ‎06-29-2021

Hey Rolelael,

Okay - that's indeed an issue likely on the device I would imagine.

I can't see any issues immediately from the outputs you shared that would qualify as an issue on FQDN compliance.

My only comments at this point is to engage Cisco TAC to ensure the functionality is working as expected.

Thanks,

Mathew

Product Support	Talos Support	Cisco Support	Reference +	Current Release
Gateway	Reputation Lookup	Open a support case	Secure Email Guided Setup	Gateway: 14.2.0-616
Cloud Gateway	Email Status Portal	Support & Downloads	docs.ces.cisco.com	Email and Web Manager: 14.2.0-203
Email and Web Manager	Web & Email Reputation	Worldwide Contacts	Product Naming Quick Reference	Reporting Plug-in: 1.1.0.136
Encryption		Bug Search		Encryption Plug-in: 1.2.1.167
Cloud Mailbox		Notification Service		Outlook Add-in(s): More info