Cisco Bug: CSCvu24055 - Clarification on server certificate creation process with ACME for Clustered Expressway-E
Jun 03, 2020
- Cisco TelePresence Video Communication Server (VCS)
Known Affected Releases
Symptom: Only the cluster Peer Expressway-E node where the ACME process is configured/started receives a signed server certificate. Conditions: // Example documents: 1) https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide.pdf 2) https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-5/exwy_b_certificate-creation-use-deployment-guide/exwy_b_certificate-creation-use-deployment-guide_chapter_0100.html // Example for confusing verbiage ("Each Expressway-E peer starts a virtual Apache host...") (from document 2): Procedure Step 1 You initiate the signing process: The ACME client opens an HTTPS connection to Let’s Encrypt and uploads the CSR. Let’s Encrypt responds with a list of challenge files, one for each domain in the CSR. The client places the challenge files on all the peers in the Expressway-E cluster. Each Expressway-E peer starts a virtual Apache host, configured to serve only the challenge files. <<<<< The client notifies Let’s Encrypt it is ready to serve the challenge files. Let’s Encrypt attempts to retrieve the challenge files. The client polls Let’s Encrypt to see if the challenge process was successful. If the challenge exchange was successful, then the client downloads the signed certificate, stores it in a staging area, and notifies you that the certificate is ready to deploy. The Expressway-E peers close down the virtual Apache hosts. Step 2 You initiate the deployment process: The Expressway-E copies the staged certificate over the existing server certificate. It copies the private key associated with the CSR over the existing private key. Expressway-E signals to other internal processes that they need to reload the server certificate. (You do not need to restart the Expressway-E.) The Expressway-E now presents the ACME certificate when making TLS connections.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases