LetsEncrypt an Expressway

August 15, 2017 Voice

I’m getting a lab stood up at the house and got Expressway running, but the cost of RMS license make it a bit of a bummer for actually testing stuff – but you can make calls to and from WebEx and CiscoSpark without an RMS impact. So that’s a great way to make calls. But in order to receive calls WebEx and Spark both verify TLS, which means you need a certificate and I’m too cheap to spend 100$ on a certificate for a lab.

Which made me think about using LetsEncrypt. LetsEncrypt is a service that allows you to sign servers with a free and trusted CA signed certificate. I use them on my web servers cause its easy and, well… Cheap. Theres an script called certbot that you use to sign the server and on a web server it takes care of putting everything in its place and adjusting apache configs for HTTPS so its real easy too. On Expressway you have to sign the certificate in manual mode which is a little more complicated and I surely wouldn’t recomend it for production at all, but if you’ve got the control and want to do some testing its works. Other downside is the certificate is valid for 3 months. So you’ll get lots of practice running it.

First you’ll need to install certbot on your local box (https://certbot.eff.org/)

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-apache

Next you’ll run the request to create the certificate. That’s right. No CSR needed. LetsEncrypt will provide you with the private key too. -d domain should be a list of all the SAN names you need.

sudo certbot certonly --manual --preferred-challenges dns -d domain.org,expe-01.domain.org

The next part is the cumbersome part. Because its not a web server thats running the bot itself the best way to confirm ownership for letsEncrypt is to use DNS verification. For the top level its easy enough. You just add the _acme-challenge TXT record to your domain. For the host record its a bit trickier because you have to create a TXT for the host which doesn’t really exist. So we have to create a sub domain in DNS called expe-01.domain.org. Then create a blank A record to the host so that when we resolve expe-01.domain.org is goes somewhere and then the TXT record. Then we record the NS record from our new sub domain and go back to our top level domain and add an NS record for expe-01.domain.org and add in the NS information there. Remember how DNS works. It goes to root “.” and asks for the NS records for “com.” then it goes to “com.” and asks for the NS records for “google.com.” and then resolves you query from those servers. We have to add another layer for it to work.

~$ dig +noall +answer @8.8.8.8 _sips._tcp.domain.org SRV
_sips._tcp.domain.org. 299	IN	SRV	1 10 5061 expe-01.domain.org.

~$ dig +noall +answer @8.8.8.8 expe-01.domain.org NS 
expe-01.domain.org. 86399	IN	NS	ns.awsdns-06.org.
expe-01.domain.org. 86399	IN	NS	ns.awsdns-61.co.uk.
expe-01.domain.org. 86399	IN	NS	ns.awsdns-56.com.
expe-01.domain.org. 86399	IN	NS	ns.awsdns-08.net.

~$ dig +noall +answer @8.8.8.8 expe-01.domain.org A
expe-01.domain.org. 299	IN	A	55.55.55.55

~$ dig +noall +answer @8.8.8.8 _acme-challenge.expe-01.domain.org TXT
_acme-challenge.expe-01.domain.org. 59 IN TXT "f0UxKndMEHpFZhu-wwYu-cAvb8a_*********"

~$ dig +noall +answer @8.8.8.8 _acme-challenge.domain.org TXT
_acme-challenge.domain.org. 299 IN	TXT	"rmnrmacOUos4348ZClAM7KzkxI-***********"

But once the DNS checks out you hit go and certbot spits back the chain, host certificate and private key. Then you just upload to Expressway. Tandberg was nice enough to have a button for private key upload right on the certificate page to make it easy.

~$ sudo certbot --manual --preferred-challenges dns -d domain.org,expe-01.domain.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
With the manual plugin, you probably want to use the "certonly" command, eg:

    certbot certonly --manual

(Alternatively, add a --installer flag. See https://eff.org/letsencrypt-plugins
 and "--help plugins" for more information.)
jsnipes@nwn-jsnipes:~$ sudo certbot certonly --manual --preferred-challenges dns -d domain.org,expe-01.domain.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) 
 (Enter 'c' to cancel): jon@domain.org
Resetting dropped connection: acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: n
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domain.org
dns-01 challenge for expe-01.domain.org

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.domain.org with the following value:

rmnrmacOUos4348ZClAM7KzkxI-****************

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.expe-01.domain.org with the following value:

f0UxKndMEHpFZhu-wwYu-cAvb8a_****************

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Resetting dropped connection: acme-v01.api.letsencrypt.org
Resetting dropped connection: acme-v01.api.letsencrypt.org
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domain.org/privkey.pem
   Your cert will expire on 2017-11-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Reboot Expressway and now Cisco trusts you enough to make calls into your system from Spark or WebEx free of charge, no RMS license needed. And reember – even free Spark accounts can make standards based SIP calls to third parties.

My Collab Lab

LetsEncrypt an Expressway

Display Ascii Update

User Input Update