[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
"Trusted Certificates" and auto provisioning
Author Message
dbonnell Offline
Junior Member
**

Posts: 1
Joined: Aug 2020
Reputation: 0
Post: #4
RE: "Trusted Certificates" and auto provisioning
I've been struggling with this for ages also. Yes, disabling "Trusted Certificates Only" via the web interface is a workaround, but we wanted a way to provision without touching the devices at all.

The device has an expired ISRG Root X1 certificate. That was updated in firmware V81 but that firmware is not available for the device, as it is too old. I had tried providing the new ISRG Root X1 via RPS' server Trusted Certificate setting, but it still failed. I also tried loading the Letsencrypt R3 + ISRG Root X1 in a single PEM into the base station, and it still failed.

Finally I tried loading those chain certs separately into the base and the ISRG Root X1 cert was rejected with the error "The cert file is prefabricated!". So you cannot override the expired built-in cert.

That discovery finally lead me to a 3CX forum post that provided the solution ... removing the ISRG Root X1 from our provisioning server's chain.pem so that the chain stops at the Letsencrypt R3. Firmware < V81 does not have the R3 cert so you are then able to provide that in RPS as a Trusted Certificate. After doing that, these old devices are able to successfully provision from a factory state, without having to touch them at all.

Since letsencrypt will overwrite the modified chain.pem every 6 months or so when it renews the provisioning server's certificate, we also added static.security.trust_certificates = 0 to the configuration for these legacy devices so that they will not stop provisioning once that chain is reset.
06-15-2022 11:00 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Messages In This Thread
RE: "Trusted Certificates" and auto provisioning - dbonnell - 06-15-2022 11:00 AM

Possibly Related Threads...
Thread: Author Replies: Views: Last Post
Wink Auto Provsioning EOL products and devices that do dont have recent firmware releases GalacticSolutions 1 1,111 04-17-2022 07:05 AM
Last Post: markm
  T46G RingCentral Provisioning jszima 0 717 03-07-2022 10:24 AM
Last Post: jszima
  Auto Provision Wall Paper Stopped Working TRP Tech 4 3,889 11-19-2021 10:27 AM
Last Post: TRP Tech
  Setting of lang.gui via remote provisioning cloudaware 1 2,069 10-26-2021 07:11 PM
Last Post: cloudaware
  zero touch provisioning & firewall gareth20202 2 3,091 10-09-2021 04:55 PM
Last Post: Phil2021
  Step by Step for Auto Provisioning nguyenp 2 6,044 08-06-2021 04:27 PM
Last Post: Phil2021
Question Mutual Certificates exchange using built device built in cetificate Ricardo Martins 7 17,714 06-02-2021 02:35 AM
Last Post: tonipamies
  Auto-Provision W60P on FreeSWITCH Phoneperson 10 17,119 03-06-2021 03:51 AM
Last Post: Phoneperson
  disable provisioning on T26P yeaphild 0 3,167 02-25-2021 07:25 PM
Last Post: yeaphild
  Provisioning only works on startup Snapdragons 3 6,212 09-29-2020 12:49 AM
Last Post: Jay_Yealink

Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication