Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Certificate Failure Loop - 500V2

Status
Not open for further replies.

dwone555

Programmer
Jun 10, 2004
64
US
Here is the scenario:

- Avaya IP Office R11.1
- 500V2 Control Unit
- J-Series Phones
- Avaya Workplace App and Remote Phones
- SIP TLS is on
- A custom Cert was created for the use of the Workplace App (Subject Alternative Names - SAN's)
- Preferred Ports are in use
- Has been in service for a year or so

The Certificate on the 500V2 has now expired, and we instructed our Tech to renew or "Regenerate" it. The new Certificate is now generated and good for 3 months and 2 years (strange timeline for expiration).

In order for the Workplace app to re-connect, the end users had to "Reset to Defaults" and re-login (the new cert was downloaded)

All J-Series phones now are at "Acquiring Service" because they can no longer connect with the old Certificate. Nor can they download the new WebRootCA.pem certificate. Why? Because they are trying to access the 46xxsettings.txt file from the HTTPS connection using the old security Certificate and getting denied.

Are we now forced to factory reset all phones?
What if this is a 200+ phone install?
What are we missing, is there a work-a-round?
We've been told this will not happen on Server Edition. An Avaya Support ticket was created but they were not able to escalate or further test. "Just reset all the phones" [thumbsdown]
 
Need a certificate for the ipo that has been signed with the same ca as the original expired certificate.


I can’t remember if the phones will fall back to http if the https server is unavailable.

If changing the certificate provider CA you need to get the new CA on the phones BEFORE updating the ipo certificate.

You need to add the new ca to the settings file. Use the specials file.
Needs to not be named WebRootCA.pem, name it something else for the phone to load it.

Reboot the phones to pause out the new ca.

Then you can change the ipo certificate.

Otherwise unfortunately I think it is a clear on the handsets to allow it to load the new ca.

I’ve potentially got a new domain/hostname to role out to a 3000+ user site not that is going to be painful.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top