Yealink Forums

I'm trying to configure a set of W52P phones to provision from our HTTPS server. I have a valid SSL certificate signed by GoDaddy. When I try to provision, the log shows "Certificate doesn't verify and error is 20" and "trust check error". I've tried uploading GoDaddy's Root CA certificate to "Security -> Trusted Certificates", but it doesn't make a difference.

It does work if I set "Security -> Trusted Certificates -> Only Accept Trusted Certificates" to "Disabled", but that's not my preferred setting.

When I access the HTTPS server with IE, Firefox, and Google Chrome, I do not receive any certificate errors, and my Grandstream phones connect without any issues.

How can I get the Yealink phones to work with my GoDaddy certificate?

Hi nickcoons ,
:)Thanks for your continuously support for Yealink products.
Please check signature algorithm of SSL certificate is SHA1 firstly ,now our phone don't support the signature algorithm of SHA2.

If issue still exist,please provide issue data from phone,.
1,trace
2,syslog(level 6)
3,config.bin
If you dont know how to get issue data ,please refer to URL address
ftp://Lucas:28X3Dg6Q@ftp.yealink.com/manual/
or http address
http://forum.yealink.com/forum/showthread.php?tid=1319.

Please upload the issue data to ftp://Lucas:28X3Dg6Q@ftp.yealink.com/ and notify me ,thank you very much.

Godaddy is not on the list of supported trusted certificate authorities (see below). I however am having the same problem on a T46G and I am using an approved cert in the list. If I set the Only Accept Trusted Certificates setting to "Disabled" then everything works. I think we have a bug here.

Here is the list of trusted certs from this document.

DigiCert High Assurance EV Root CA
Deutsche Telekom AG Root CA-2
Equifax Secure Certificate Authority
Equifax Secure eBusiness CA-1
Equifax Secure Global eBusiness CA-1
GeoTrust Global CA
GeoTrust Global CA2
GeoTrust Primary CA
GeoTrust Primary CA G2 ECC
GeoTrust Universal CA
GeoTrust Universal CA2
Thawte Personal Freemail CA
Thawte Premium Server CA
Thawte Primary Root CA - G1 (EV)
Thawte Primary Root CA - G2 (ECC)
Thawte Primary Root CA - G3 (SHA256)
Thawte Server CA
VeriSign Class 1 Public Primary Certification Authority
VeriSign Class 1 Public Primary Certification Authority - G2
VeriSign Class 1 Public Primary Certification Authority - G3
VeriSign Class 2 Public Primary Certification Authority - G2
VeriSign Class 2 Public Primary Certification Authority - G3
VeriSign Class 3 Public Primary Certification Authority
VeriSign Class 3 Public Primary Certification Authority - G2
VeriSign Class 3 Public Primary Certification Authority - G3
VeriSign Class 3 Public Primary Certification Authority - G4
VeriSign Class 3 Public Primary Certification Authority - G5
VeriSign Class 4 Public Primary Certification Authority - G2
VeriSign Class 4 Public Primary Certification Authority - G3
VeriSign Universal Root Certification Authority

Perhaps GoDaddy SSL certificate support should be added given their massive share of the SSL certificate signing market.

Hi all,
If you want to use certificate that we can't support at present,must import the certificate in advanve,if you import success,the certificate will display the box like picture.

(11-10-2014 10:49 AM)Yealink_Lucas Wrote: [ -> ]Hi all,
If you want to use certificate that we can't support at present,must import the certificate in advanve,if you import success,the certificate will display the box like picture.

If I import my certificate from GoDaddy, and then it expires in the future, do I need to import the new one as well? Or is there something higher up in the chain that I can import that will cause it to accept all future versions as well?

I tested with a GeoTrust Global CA certificate, which should be built-in(?), but the phone still indicates that it can't handle the certificate:

Feb 12 10:37:03 LIBD[344]: DCMN<6+info > Connecting path.domain.ext:443
Feb 12 10:37:03 LIBD[344]: DCMN<6+info > Connecting IP = xxx.xxx.xxx.xxx, Port = 443
Feb 12 10:37:03 LIBD[344]: DCMN<6+info > SSL_connect (read done)
Feb 12 10:37:03 LIBD[344]: DCMN<6+info > SSL_connect (read done)
Feb 12 10:37:03 LIBD[344]: DCMN<3+error > Certificate doesn't verify and error is 19
Feb 12 10:37:03 LIBD[344]: DCMN<3+error > trust check error
Feb 12 10:37:03 LIBD[344]: HTTP<3+error > Connect Error
Feb 12 10:37:03 ATP [344]: ATP <3+error > https to file failed, code = -3, msg = Connect Failed, retry = 2

Does this have to do with SHA1/SHA2?

When is Yealink going to support SHA2? My CA (GeoTrust) will not allow me to sign a SHA1 cert with an expiry past 12/31/2016 (I have a 3 year cert) because SHA1 will be phased out by then, making the cert useless for everything (except Yealink apparently) past that date. This has been a known fact for 2 years, get with the times!

Hi,

SHA2 will be supported in T23/T27/T29/T41/T42/T46/T48 in V80 which will be available in Q2 or Q3 2015.

Regards,
James

Hi everybody!
If I have twenty phones T21P with the same problem (sha256 unsupported), what I can do? Why you will not upgrade this phones to firmware V80?
My reseller doesn't give me money back, can I replace T21 phones to T23 in your office in Moscow ?