Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Remote Phones over TLS, R11.1.3.1 - Soft Phones Log in, J100's Aquiring Service 5

Status
Not open for further replies.

dsm600rr

IS-IT--Management
Nov 17, 2015
1,444
US
Hello All,

So we have a strange one here that we have tested for HOURS and cannot get remote J100's to log in.

So we have a Virtual Machine Running in a 11:11 Cloud, using TLS (no SBC) and NO IP SSL Certificates.

Remote Phones Log in OK on TCP

Remote Phones on TLS hang at "Logging in - Verifying Credentials" and then finally "Acquiring Service"

Avaya IX Workplace logs in fine on TLS

We tested phones both locally at the client, at out office and at home - all the same issues.

I can see the Remote Phone grabbing its files via Monitor.

We have quite a few other sites with the exact same setup and working fine. The ONLY difference we can see, is on this particular site, when we upgraded to R11.1.3.1 Build 34, Web Manager shows "Upgrade failed.: - Upgrade do stage failed to finish" - Of course Avaya says this is OK and to Ignore, however is it really?



ACSS / ACIS
 
derfloh: Thanks for chiming in again and also all the help over the years. One day I will get this down.

So from my understanding, this is not working with the autogenerated WebRootCA.pem

So we took Richard10d (Thank you as well!) suggestions, added a 46xxspecials.txt with the one line of:

SET TLSSRVRID 0

That alone worked. Is this a good option as I see Avaya States:

"A setting of 0 does not disable verification of the certificate chain. It only disables verification of the identity in the server certificate." - So should we continue to deploy this way, or figure out the issue with the WebRootCA.pem?

If the answer is figure out the issue with the WebRootCA.pem, can someone possibly assist with: "I would merge all certificates in one file and place it in the IP Office file management as WebRootCA.pem"

Thanks again all!


ACSS / ACIS
 
You should have the root and intermediate certificates from the CA that created your server certificate.

If you open your server certificate you will see who is the issuer and what intermediate/root certificates are needed.

540ba2322d8520db61f5128fb08a92ad_waafya.png


Open the first issuer certificate (Secure Site CA in this example) with notepad.
Open the next certificate (DigiCert) and copy the whole content. Paste the content of this root certiicate below the content of the first certificate.

If you have more intermediate certificates add them as well but be aware the the order is the opposite than in the screenshot (issuer first next intermediate certificates, then root certificate).

Save the file as WebRootCA.pem and upload it to IP Office.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN
 
derfloh: Thanks again!

So if I navigate to the:
Security Settings > System > Certificates > View I get to a Similar View:

2024-06-04_8-51-44_xbwnnb.png


"Open the first issuer certificate (Secure Site CA in this example) with notepad": In my example, that would be the: "Vitalwerks Internet Solutions, No-IP TLS ICA". I am not seeing how to open the certificate with Notepad from the certificate pictured above. Only "View Certificate".

Shall I "View Certificate" and then "Copy to File"?

2024-06-04_8-57-03_efrv4x.png


2024-06-04_8-57-50_clxgmi.png


If so, what option here?

2024-06-04_8-58-29_tppr1a.png


ACSS / ACIS
 
I am also able to download and View:

2024-06-04_9-03-55_ohkrpl.png


2024-06-04_9-05-36_bmoodu.png


ACSS / ACIS
 
Bit of an update. Deleted the 46xxspecials.txt file with the "SET TLSSRVRID 0", now back to autogenerated and now I cannot get a phone to fail to test the new WebRootCA.pem

Got a new phone, cleared it and it logged in without any issues

Did a reboot of the IPO and the same [poke]

ACSS / ACIS
 
So, the current status is... it's working.. dang it. ?

If you cleared the phone, it should be downloading the chain and if it works then success...

Or did I miss something?
 
derfloh: Perfect. Should I leave all 3 certs in the chain, rename it WebRootCA.pem and load that to the primary, or only the intermediates?

Richard10d: I took your advice first and modified a 46xxspecials.txt with the "SET TLSSRVRID 0" and the phones logged in. Perfect.

The issue came up with trying to get the phones to fail again to test out a modified WebRootCA.pem

No matter what I did, I could not get the phones to NOT log back in.

- I Deleted the modified 46xxspecials.txt, so we were back at the autogenerated
- I cleared the Phone
- I reboot the IPO

The phone just keeps logging back in, so kind of stuck here with testing the modified WebRootCA.pem

Do you persnally do one or the other, or both - in reguards to a 46xxspecials.txt file as well as the combined Intermediates WebRootCA.pem?

ACSS / ACIS
 
derfloh: So download the PEM Chain, rename WebRootCA.pem and load to the primary folder?

Below is the Chain:

2024-06-05_13-59-19_iqtnfd.png


ACSS / ACIS
 
derfloh: Appreciate it!

ACSS / ACIS
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top