Can't get T2X to accept LetsEncrypt Certificate - Printable Version +- Yealink Forums (http://forum.yealink.com/forum) +-- Forum: IP Phone Series (/forumdisplay.php?fid=4) +--- Forum: Configuration (/forumdisplay.php?fid=24) +--- Thread: Can't get T2X to accept LetsEncrypt Certificate (/showthread.php?tid=41452) |
Can't get T2X to accept LetsEncrypt Certificate - mark@dark - 01-11-2018 02:36 PM Hi all Testing on a T26P; Firmware Version 6.73.0.50 Hardware Version 4.0.1.38 I have a LetsEncrypt FullChain key loaded in to our SIP server. OpenSSL doesn't seem to have a problem with the cert chain; # openssl s_client -connect abc.def.com:5061 -no_ssl2 -bugs ... subject=/CN=abc.def.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 ... Verify return code: 0 (ok) So back on the phone. If I set "trusted certs only" to disabled on the phone it connects fine. Turning "trusted certs only" to enabled fails as I'd expect. As it doesn't yet have the root certs for LetsEncrypt. However if I load either of the LetsEncrypt X3 Intermediate Certificates from https://letsencrypt.org/certificates/ in to the Trusted Certificates on the phone it still fails. Looking at the phone logs it's seeing; Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] SSL_is_init_finished done Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] tls_connect: remote certificate: subject:/CN=abc.def.com Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] tls_connect: remote certificate: issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Jan 11 14:05:07 SIP [465]: SDL <3+error > [000] Failed to verify remote certificate Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] verification failure: unable to get local issuer certificate So it's seeing the cert but doesn't seem to be matching it to the intermediate given in the web front end. What have I missed? I can't believe that nobody out there is using LetsEncrypt. Cheers Mark |