Re: Not able to enable ACME Cerificate Service in Cisco Expressway-E

dit.petroretail · ‎09-22-2023

Hi all,

Employees of our company use Cisco Jabber client for smartphones to connect to the corporate network telephony while they are at work remotely. The server certificate on our Cisco Expressway-E has expired.

My server domain name is: ewaye.petroretail.kz

I ran this command: Acme Providers Write request

It produced this output: ACME accept operation failed : Cannot connect to the ACME provider
management: Level="ERROR" Detail="Acme Providers Write failed", Reason="Cannot connect to the Acme Provider", ErrorCode="500"

My web server is (include version): Cisco Expressway-E version X12.5

The operating system my web server runs on is (include version): TANDBERG Video Communication Server X12.5SW Release date: 2018-12-17 16:24, build

According to the configuration guide Cisco Expressway Certificate Creation And Use Deployment Guide (X12.5) - Use ACME on Expressway-E [Cisco Expressway Series] - Cisco I tried to follow the links provided and download cerificates mentioned in guide - but they were expired so I tried to find actual cetrificates versions.

I have appended 2 types of cerificates - Let's Encrypt Root CA Certificate (O=IdenTrust, CN=IdenTrust Commercial Root CA 1) and Let's Encrypt Intermediate CA Certificate. I wasn't sure which exact Intermediate CA Certificate I have to use here so I appended two Intermediate certificates (O=Digital Signature Trust Co., CN=DST Root CA X3 and O=Internet Security Research Group, CN=ISRG Root X1)

Could you please help me find a solution to the cause of this problem?

b.winter · ‎09-22-2023

Was the ACME service enabled before, or is it a "fresh" configuration of the ACME service?

Error 500 indicates, that the Expressway-E cannot communicate with the ACME provider.
Is HTTP port 80 inbound from the internet to the Expressway-E allowed by the FW? Normally, this port is not necessary for MRA, so normally it is blocked.

dit.petroretail · ‎09-22-2023

No, the ACME service has not been used before and has not been enabled. This is the first time ACME is configured on the company's Expressway-E server.

I've enabled the "Redirect HTTP requests to HTTPS" option in Web server configuration section, so now the port 80 is available from the internet.

b.winter · ‎09-22-2023

Have you checked the event and / or network logs?
Or have taken a diagnostic log with a tcpdump and check the tcpdump with Wireshark, if you see any communication.

And as @Roger Kallberg you certainly should update the Expressway to the latest X14.3.1 (but for this you need to connect them to Smart Licensing)

Roger Kallberg · ‎09-22-2023

I think you need to read up on how this works. Redirect HTTP requests to HTTPS is not related to the use of ACME certificates. Using ACME on Expressway-E

b.winter · ‎09-22-2023

@Roger Kallberg That's true, but according to the SRV checker, port 80 should be reachable from the Internet:

@dit.petroretail Is your MRA depyloment even working?
According to the SRV checker, there are not all necessary ports open, for MRA to work:
Port 5222 and 8443.

Roger Kallberg · ‎09-22-2023

For using ACME certificate services yes, but that's not related to the setting that the OP referenced to.

This test is for our test MRA Expw setup and it does use ACME certificate, but the test shows that port 80 is not open as it's only active for the very short time period when the ACME certificate is renewed.

Roger Kallberg · ‎09-22-2023

You’re advised to update your Expressways to something more current than 12.5. It’s full of very serious security vulnerabilities and other defects.