[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.

Post Reply 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
"Trusted Certificates" and auto provisioning
Author Message
dbonnell Offline
Junior Member

Posts: 1
Joined: Aug 2020
Reputation: 0
Post: #4
RE: "Trusted Certificates" and auto provisioning
I've been struggling with this for ages also. Yes, disabling "Trusted Certificates Only" via the web interface is a workaround, but we wanted a way to provision without touching the devices at all.

The device has an expired ISRG Root X1 certificate. That was updated in firmware V81 but that firmware is not available for the device, as it is too old. I had tried providing the new ISRG Root X1 via RPS' server Trusted Certificate setting, but it still failed. I also tried loading the Letsencrypt R3 + ISRG Root X1 in a single PEM into the base station, and it still failed.

Finally I tried loading those chain certs separately into the base and the ISRG Root X1 cert was rejected with the error "The cert file is prefabricated!". So you cannot override the expired built-in cert.

That discovery finally lead me to a 3CX forum post that provided the solution ... removing the ISRG Root X1 from our provisioning server's chain.pem so that the chain stops at the Letsencrypt R3. Firmware < V81 does not have the R3 cert so you are then able to provide that in RPS as a Trusted Certificate. After doing that, these old devices are able to successfully provision from a factory state, without having to touch them at all.

Since letsencrypt will overwrite the modified chain.pem every 6 months or so when it renews the provisioning server's certificate, we also added static.security.trust_certificates = 0 to the configuration for these legacy devices so that they will not stop provisioning once that chain is reset.
06-15-2022 11:00 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 

Messages In This Thread
RE: "Trusted Certificates" and auto provisioning - dbonnell - 06-15-2022 11:00 AM

Possibly Related Threads...
Thread: Author Replies: Views: Last Post
  ISRG Root X1 cert not recognized by phone during auto provision chrisduncansb 2 526 05-21-2024 01:23 PM
Last Post: rlaager
  Auto Provision Wall Paper Stopped Working TRP Tech 5 10,182 02-19-2024 12:02 AM
Last Post: jamesalan
Smile W73P dect phone not allowing to auto-provision as different extension Andi_Dee 0 1,999 10-12-2023 05:49 PM
Last Post: Andi_Dee
  How to disable Voicemail from .cfg in auto provisioning file? boniakowski 2 1,893 09-19-2023 12:03 AM
Last Post: boniakowski
  VPN Changes Do Not Get Auto-Provisioned joe1st 3 3,395 08-08-2023 12:35 AM
Last Post: cecilberge
Wink Auto Provsioning EOL products and devices that do dont have recent firmware releases GalacticSolutions 3 6,355 04-12-2023 05:32 PM
Last Post: aaronmedina
  account.X provisioning vieri 7 5,983 02-10-2023 07:02 PM
Last Post: vieri
  Yealink T54W Auto Provision not working h.cmc 1 4,150 12-09-2022 08:31 PM
Last Post: complex1
  T46U Not Contacting Provisioning Server 88fingerslukee 0 2,335 09-06-2022 11:43 PM
Last Post: 88fingerslukee
  Need help auto provisioning a phone with Nextiva service. LittleDogTech 3 5,525 08-30-2022 06:28 PM
Last Post: complex1

Forum Jump:

User(s) browsing this thread: 1 Guest(s)

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication