[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
"Trusted Certificates" and auto provisioning
Author Message
jobst Offline
Junior Member
**

Posts: 3
Joined: Sep 2020
Reputation: 0
Post: #1
Question "Trusted Certificates" and auto provisioning
Hi

Been using for a long time 'auto provisioning', its been working very well, except - as I now noticed - at the end of September 2021 this stopped working, all of my phone have not been updating/auto-provisioning ever since.

Now I have to move around a few phones (all of them are WFH phones), and I noticed if I turn on "Only Accept Trusted Certificates" the phones will NOT update, if I turn it off they will.

However this has been working a long time when turned on, also the server has been using "Letsencrypt Certificates" for years. If I check the servers certificates with external cert checkers they all show OK.

What has changed?
Why does this not work anymore?
05-06-2022 03:19 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
complex1 Offline
3CX Adv. Cert. Engineer
*****

Posts: 1,549
Joined: Jan 2014
Reputation: 48
Post: #2
RE: "Trusted Certificates" and auto provisioning
(05-06-2022 03:19 PM)jobst Wrote:  Hi

Been using for a long time 'auto provisioning', its been working very well, except - as I now noticed - at the end of September 2021 this stopped working, all of my phone have not been updating/auto-provisioning ever since.

Now I have to move around a few phones (all of them are WFH phones), and I noticed if I turn on "Only Accept Trusted Certificates" the phones will NOT update, if I turn it off they will.

However this has been working a long time when turned on, also the server has been using "Letsencrypt Certificates" for years. If I check the servers certificates with external cert checkers they all show OK.

What has changed?
Why does this not work anymore?

Hi,

Please read this link
https://letsencrypt.org/docs/dst-root-ca...mber-2021/

A solution to this could be to update the phone firmware if possible.

Kind regards,
Frank.

I am not an employee of Yealink.
Dutch is my native language, not English. Apologies for my imperfect grammar.
Please do not send unsolicited PM messages. I will not answer them.
05-06-2022 05:10 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
jobst Offline
Junior Member
**

Posts: 3
Joined: Sep 2020
Reputation: 0
Post: #3
RE: "Trusted Certificates" and auto provisioning
(05-06-2022 05:10 PM)complex1 Wrote:  
(05-06-2022 03:19 PM)jobst Wrote:  Hi
Why does this not work anymore?
Please read this link
https://letsencrypt.org/docs/dst-root-ca...mber-2021/
A solution to this could be to update the phone firmware if possible.

I read about a while back, never thought this would apply to me.
Thank you!!!

Problem is the later firmware updates dont include certs for the T46S.
I tried to download certs from letsencrypt but they fail "prefabricated".

Does anyone know how dangerous it is to leave the option disabled if the server the config files are downloaded from is my own server?
(This post was last modified: 05-06-2022 09:17 PM by jobst.)
05-06-2022 08:35 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
dbonnell Offline
Junior Member
**

Posts: 1
Joined: Aug 2020
Reputation: 0
Post: #4
RE: "Trusted Certificates" and auto provisioning
I've been struggling with this for ages also. Yes, disabling "Trusted Certificates Only" via the web interface is a workaround, but we wanted a way to provision without touching the devices at all.

The device has an expired ISRG Root X1 certificate. That was updated in firmware V81 but that firmware is not available for the device, as it is too old. I had tried providing the new ISRG Root X1 via RPS' server Trusted Certificate setting, but it still failed. I also tried loading the Letsencrypt R3 + ISRG Root X1 in a single PEM into the base station, and it still failed.

Finally I tried loading those chain certs separately into the base and the ISRG Root X1 cert was rejected with the error "The cert file is prefabricated!". So you cannot override the expired built-in cert.

That discovery finally lead me to a 3CX forum post that provided the solution ... removing the ISRG Root X1 from our provisioning server's chain.pem so that the chain stops at the Letsencrypt R3. Firmware < V81 does not have the R3 cert so you are then able to provide that in RPS as a Trusted Certificate. After doing that, these old devices are able to successfully provision from a factory state, without having to touch them at all.

Since letsencrypt will overwrite the modified chain.pem every 6 months or so when it renews the provisioning server's certificate, we also added static.security.trust_certificates = 0 to the configuration for these legacy devices so that they will not stop provisioning once that chain is reset.
06-15-2022 11:00 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Possibly Related Threads...
Thread: Author Replies: Views: Last Post
  ISRG Root X1 cert not recognized by phone during auto provision chrisduncansb 2 1,945 05-21-2024 01:23 PM
Last Post: rlaager
  Auto Provision Wall Paper Stopped Working TRP Tech 5 12,217 02-19-2024 12:02 AM
Last Post: jamesalan
Smile W73P dect phone not allowing to auto-provision as different extension Andi_Dee 0 3,000 10-12-2023 05:49 PM
Last Post: Andi_Dee
  How to disable Voicemail from .cfg in auto provisioning file? boniakowski 2 3,036 09-19-2023 12:03 AM
Last Post: boniakowski
  VPN Changes Do Not Get Auto-Provisioned joe1st 3 4,826 08-08-2023 12:35 AM
Last Post: cecilberge
Wink Auto Provsioning EOL products and devices that do dont have recent firmware releases GalacticSolutions 3 7,908 04-12-2023 05:32 PM
Last Post: aaronmedina
  account.X provisioning vieri 7 8,687 02-10-2023 07:02 PM
Last Post: vieri
  Yealink T54W Auto Provision not working h.cmc 1 5,518 12-09-2022 08:31 PM
Last Post: complex1
  T46U Not Contacting Provisioning Server 88fingerslukee 0 2,882 09-06-2022 11:43 PM
Last Post: 88fingerslukee
  Need help auto provisioning a phone with Nextiva service. LittleDogTech 3 7,131 08-30-2022 06:28 PM
Last Post: complex1

Forum Jump:


User(s) browsing this thread:

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication