Yealink Forums

Full Version: Can't get T2X to accept LetsEncrypt Certificate
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi all

Testing on a T26P;
Firmware Version
Hardware Version

I have a LetsEncrypt FullChain key loaded in to our SIP server.

OpenSSL doesn't seem to have a problem with the cert chain;

# openssl s_client -connect -no_ssl2 -bugs
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Verify return code: 0 (ok)

So back on the phone. If I set "trusted certs only" to disabled on the phone it connects fine.

Turning "trusted certs only" to enabled fails as I'd expect. As it doesn't yet have the root certs for LetsEncrypt.

However if I load either of the LetsEncrypt X3 Intermediate Certificates from in to the Trusted Certificates on the phone it still fails.

Looking at the phone logs it's seeing;

Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] SSL_is_init_finished done
Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] tls_connect: remote certificate: subject:/
Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] tls_connect: remote certificate: issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Jan 11 14:05:07 SIP [465]: SDL <3+error > [000] Failed to verify remote certificate
Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] verification failure: unable to get local issuer certificate

So it's seeing the cert but doesn't seem to be matching it to the intermediate given in the web front end.

What have I missed?

I can't believe that nobody out there is using LetsEncrypt.

Reference URL's