Yealink Forums

Full Version: Can't get T2X to accept LetsEncrypt Certificate
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi all

Testing on a T26P;
Firmware Version 6.73.0.50
Hardware Version 4.0.1.38

I have a LetsEncrypt FullChain key loaded in to our SIP server.

OpenSSL doesn't seem to have a problem with the cert chain;

# openssl s_client -connect abc.def.com:5061 -no_ssl2 -bugs
...
subject=/CN=abc.def.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
...
Verify return code: 0 (ok)


So back on the phone. If I set "trusted certs only" to disabled on the phone it connects fine.

Turning "trusted certs only" to enabled fails as I'd expect. As it doesn't yet have the root certs for LetsEncrypt.

However if I load either of the LetsEncrypt X3 Intermediate Certificates from https://letsencrypt.org/certificates/ in to the Trusted Certificates on the phone it still fails.

Looking at the phone logs it's seeing;

Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] SSL_is_init_finished done
Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] tls_connect: remote certificate: subject:/CN=abc.def.com
Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] tls_connect: remote certificate: issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Jan 11 14:05:07 SIP [465]: SDL <3+error > [000] Failed to verify remote certificate
Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] verification failure: unable to get local issuer certificate


So it's seeing the cert but doesn't seem to be matching it to the intermediate given in the web front end.



What have I missed?

I can't believe that nobody out there is using LetsEncrypt.

Cheers
Mark
Reference URL's