+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: General topics (/forumdisplay.php?fid=15)
+--- Thread: Phones no longer support Let Encrypt (/showthread.php?tid=45417)
Phones no longer support Let Encrypt - johnbeaumont - 10-03-2021 11:41 PM
We have a large number of customers with varying models of phones and firmwares (up to 86) using our LDAP servers and start TLS. These servers use Let's Encrypt certificates.
On October the first we had multiple complaints of phones (at the moment we presume all), failing to connect via TLS. The problem is listed by Let's Encrypt here:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
If I look in my own T46S phones CA certs I can see it has expired:
DST Root CA X3 DST Root CA X3 Sep 30 14:01:15 2021..
Are they any plans for a firmware update to fix this?
RE: Phones no longer support Let Encrypt - yealink@vespino.nl - 10-05-2021 03:38 PM
Could this be causing my remote phonebook not to work and having to download it via IP address instead of via FQDN?
RE: Phones no longer support Let Encrypt - johnbeaumont - 10-05-2021 04:06 PM
I have even tried uploading the new ISRG Root X1 cert from the lets encrypt page into Trusted Certificates. (This is on a T54W with V85 firmware)
But the phone gives a weird error.
"The certs file is prefabricated!"
I have no idea what this means, But it won't take the pem file.
I enabled logging and found this error
[DCMN]the ca file has existed by factory prefabrication
So I'm trying to upload a cert already factory installed. But the factory installed one expired on Sept 30th 2021.
So current there's no way to fix this without a firmware update from Yealink.
Any plans to fix this?
RE: Phones no longer support Let Encrypt - yealink@vespino.nl - 10-05-2021 06:17 PM
I have also uploaded the new certificate, it uploads without problems, but does not solve my issue.
RE: Phones no longer support Let Encrypt - Alcormizar - 10-05-2021 09:05 PM
Can confirm, all Yealink phones we have installed that connect via TLS to Let's Encrypt certificates stopped working. We had to go through all of them and put " Only Accept Trusted Certificates" to Disabled to be able to make them connect again. The root certificate for let's encrypt in all Yealink phones has expired (even with latest firmwares) and causing disconnects.
Tried to upload the new root certificate, got "certificate is prefabricated"
Tried to upload intermediate certificates, they get uploaded but don't solve the problem since the expired root certificate is taking precedence.
This is very poor for a company like Yealink who should make sure they stay up to date with root certificates to avoid situations like this
. Please provide firmware updates even for old phones so we can safely use TLS security again.Thanks!
RE: Phones no longer support Let Encrypt - yealink@vespino.nl - 10-05-2021 09:11 PM
Disabling Only Accept Trusted Certificates also doesn't work for me.
RE: Phones no longer support Let Encrypt - Alcormizar - 10-05-2021 09:29 PM
(10-05-2021 09:11 PM)yealink@vespino.nl Wrote: Disabling Only Accept Trusted Certificates also doesn't work for me.
Your problem is probably not related to the certificate expiration... TLS is used to setup encrypted SIP tunnels for encrypted communications. Unless your phonebook is connecting through a TLS encrypted tunnel that happen to use a Let's Encrypt certificate, then this is probably not the cause.
RE: Phones no longer support Let Encrypt - yealink@vespino.nl - 10-05-2021 09:43 PM
I have entered the FQDN of my FreePBX install https://FQDN/phonebook.php ... when I enter http://IP/phonebook.php it does work. Everything is routed through my reverse proxy and everything worked fine before the LE thing. So yeah, your guess is as good as mine.
RE: Phones no longer support Let Encrypt - complex1 - 10-05-2021 09:56 PM
Renew the LE certificates of your PBX and try again.
RE: Phones no longer support Let Encrypt - yealink@vespino.nl - 10-05-2021 09:58 PM
The thing is, FreePBX isn't running a certificate, the reverse proxy is. And I have already renewed that multiple times.