Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-18222

Yealink phones won't connect using SSL/TLS to FreePBX 14 w/ Let's Encrypt, but will FreePBX 13

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Do
    • Affects Version/s: 14
    • Fix Version/s: None
    • Component/s: Certificate Manager
    • Labels:
      None
    • ToDo:
    • Asterisk Version:
      13.22.1
    • Distro Version:
      12.7.5-1807-1.sng7
    • Distro:
      FreePBX Distro

      Description

      I tried and tried to get Yealink phones to connect using HTTPS Provisioning, HTTPS Phone Apps, and TLS to a new FreePBX 14 system and couldn't get it to work.  The same phones will connect to a FreePBX 13 system without hesitation.

      I found this FreePBX community forum thread about the problem: https://community.freepbx.org/t/yealink-t4xg-phones-will-not-autoprovision-over-https-with-freepbx-14/44617

      Similar threads exist on Yealink's forums: http://forum.yealink.com/forum/showthread.php?tid=41843

      I didn't have time to deep dive into why it was happening and bought a Comodo certificate to get the customer up and running and buy me some time.  Now I am circling back to this and I think I might have found the cause of the problem.  Both system have this in the tls transport section of pjsip:

      ca_list_file=/etc/pki/tls/certs/ca-bundle.crt

      cert_file=/etc/asterisk/keys/[hostname].pem

      priv_key_file=/etc/asterisk/keys/[hostname].key

      That ca-bundle.crt file is very different between FreePBX 13 and 14.  In FreePBX 13, it is:

      rw-rr-. 1 root root  877042 Apr 23  2015 ca-bundle.crt

      In FreePBX 14 it is a symbolic link to this:

      rrr-. 1 root root 211658 Aug  2  2012 tls-ca-bundle.pem

      The file is much smaller and older on FreePBX 14 than on 13 (211K from 2012 in FreePBX 14 vs 877K from 2015 in FreePBX 13).

      Google tells me that these CA Bundle files are used to provide information necessary to improve compatibility and trust of certain certificates, but how that all works is above my pay grade, so I am just looking at what are the differences in the files referenced on FreePBX 13 vs FreePBX 14 systems and this is what I found.  I'm hoping that this is a meaningful difference worth pointing out and that someone at Sangoma who is smarter than me can confirm that this is, in fact, the problem, and if so, push out an update of that file.

      Thanks,

      Dave

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                kgupta Kapil Gupta
                Reporter:
                david.sovereen@mercury.net David Sovereen
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Feedback Requested:

                  NextupJiraPlusStatus

                  Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.