Yealink Forums
Can't get T2X to accept LetsEncrypt Certificate - Printable Version

+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: Configuration (/forumdisplay.php?fid=24)
+--- Thread: Can't get T2X to accept LetsEncrypt Certificate (/showthread.php?tid=41452)



Can't get T2X to accept LetsEncrypt Certificate - mark@dark - 01-11-2018 02:36 PM

Hi all

Testing on a T26P;
Firmware Version 6.73.0.50
Hardware Version 4.0.1.38

I have a LetsEncrypt FullChain key loaded in to our SIP server.

OpenSSL doesn't seem to have a problem with the cert chain;

# openssl s_client -connect abc.def.com:5061 -no_ssl2 -bugs
...
subject=/CN=abc.def.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
...
Verify return code: 0 (ok)


So back on the phone. If I set "trusted certs only" to disabled on the phone it connects fine.

Turning "trusted certs only" to enabled fails as I'd expect. As it doesn't yet have the root certs for LetsEncrypt.

However if I load either of the LetsEncrypt X3 Intermediate Certificates from https://letsencrypt.org/certificates/ in to the Trusted Certificates on the phone it still fails.

Looking at the phone logs it's seeing;

Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] SSL_is_init_finished done
Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] tls_connect: remote certificate: subject:/CN=abc.def.com
Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] tls_connect: remote certificate: issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Jan 11 14:05:07 SIP [465]: SDL <3+error > [000] Failed to verify remote certificate
Jan 11 14:05:07 SIP [465]: SDL <6+info > [000] verification failure: unable to get local issuer certificate


So it's seeing the cert but doesn't seem to be matching it to the intermediate given in the web front end.



What have I missed?

I can't believe that nobody out there is using LetsEncrypt.

Cheers
Mark