Yealink Forums
"Trusted Certificates" and auto provisioning - Printable Version

+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: Auto Provisioning (/forumdisplay.php?fid=14)
+--- Thread: "Trusted Certificates" and auto provisioning (/showthread.php?tid=45779)



"Trusted Certificates" and auto provisioning - jobst - 05-06-2022 03:19 PM

Hi

Been using for a long time 'auto provisioning', its been working very well, except - as I now noticed - at the end of September 2021 this stopped working, all of my phone have not been updating/auto-provisioning ever since.

Now I have to move around a few phones (all of them are WFH phones), and I noticed if I turn on "Only Accept Trusted Certificates" the phones will NOT update, if I turn it off they will.

However this has been working a long time when turned on, also the server has been using "Letsencrypt Certificates" for years. If I check the servers certificates with external cert checkers they all show OK.

What has changed?
Why does this not work anymore?


RE: "Trusted Certificates" and auto provisioning - complex1 - 05-06-2022 05:10 PM

(05-06-2022 03:19 PM)jobst Wrote:  Hi

Been using for a long time 'auto provisioning', its been working very well, except - as I now noticed - at the end of September 2021 this stopped working, all of my phone have not been updating/auto-provisioning ever since.

Now I have to move around a few phones (all of them are WFH phones), and I noticed if I turn on "Only Accept Trusted Certificates" the phones will NOT update, if I turn it off they will.

However this has been working a long time when turned on, also the server has been using "Letsencrypt Certificates" for years. If I check the servers certificates with external cert checkers they all show OK.

What has changed?
Why does this not work anymore?

Hi,

Please read this link
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

A solution to this could be to update the phone firmware if possible.


RE: "Trusted Certificates" and auto provisioning - jobst - 05-06-2022 08:35 PM

(05-06-2022 05:10 PM)complex1 Wrote:  
(05-06-2022 03:19 PM)jobst Wrote:  Hi
Why does this not work anymore?
Please read this link
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
A solution to this could be to update the phone firmware if possible.

I read about a while back, never thought this would apply to me.
Thank you!!!

Problem is the later firmware updates dont include certs for the T46S.
I tried to download certs from letsencrypt but they fail "prefabricated".

Does anyone know how dangerous it is to leave the option disabled if the server the config files are downloaded from is my own server?


RE: "Trusted Certificates" and auto provisioning - dbonnell - 06-15-2022 11:00 AM

I've been struggling with this for ages also. Yes, disabling "Trusted Certificates Only" via the web interface is a workaround, but we wanted a way to provision without touching the devices at all.

The device has an expired ISRG Root X1 certificate. That was updated in firmware V81 but that firmware is not available for the device, as it is too old. I had tried providing the new ISRG Root X1 via RPS' server Trusted Certificate setting, but it still failed. I also tried loading the Letsencrypt R3 + ISRG Root X1 in a single PEM into the base station, and it still failed.

Finally I tried loading those chain certs separately into the base and the ISRG Root X1 cert was rejected with the error "The cert file is prefabricated!". So you cannot override the expired built-in cert.

That discovery finally lead me to a 3CX forum post that provided the solution ... removing the ISRG Root X1 from our provisioning server's chain.pem so that the chain stops at the Letsencrypt R3. Firmware < V81 does not have the R3 cert so you are then able to provide that in RPS as a Trusted Certificate. After doing that, these old devices are able to successfully provision from a factory state, without having to touch them at all.

Since letsencrypt will overwrite the modified chain.pem every 6 months or so when it renews the provisioning server's certificate, we also added static.security.trust_certificates = 0 to the configuration for these legacy devices so that they will not stop provisioning once that chain is reset.