Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IP Office 11 certificate renewal J100 series phones acquiring service after reboot

Status
Not open for further replies.

NOTaPhoneGuy2020

Systems Engineer
Jun 22, 2020
5
US
Good afternoon,

I have a client that recently renewed their GoDaddy certificate and updated the certificate in IPO 11.0.1 server edition. After the certificate was renewed, they found that if a phone was rebooted/lost power/etc., the phone would get stuck at acquiring service. A factory reset will resolve the issue. However, they have several hundred phones, and if there was a switch reboot for maintenance, or a power issue, they could be looking at several phones needing to be factory reset.

We believe the issue is related to the certificate. If a phone is factory reset, and then reboots, it will load with the configuration without issue.

We have a case open with Avaya, and they are wanting to blame the network.

Does anyone have any ideas on how to resolve this?
 
From my understanding the J100 will store the first cert it gets and uses that. Since the cert was changed on the IPO, it will not match whats on the J100, so it has to be cleared so it can pull the new cert. Looks like all the phones will have to be cleared.
 
The Avaya tech created a new CSR and had the client regenerate the certificate. This resolved the phones going into TLS alarm.

The CSR was used to regenerate a wildcard cert, which ended up breaking all of the servers secure connections.

The client ordered a new cert, and we went through the whole issue again, as the CSR was missing the sip domain.

Changing the SIP domain in IPO allowed the phones to pull the config after they were rebooted.
 
The phones need and store the Root certificate from the server.
The server has this, as well as the identity certificate which is for the server and signed by the Root cert.
In case of a paid cert like GoDaddy, also an intermediate certificate is used.
If you need to change or include detail like the SIP domain, then only the server's identity needs to be changed.
The Root cert is unchanged. Therefore, the Root cert, stored in the phone is still the same and correct.
-> You may update the identity cert.
-> Never change the Root cert, once the system is in service. Unless you know what you do.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top