Remote Phones over TLS, R11.1.3.1 - Soft Phones Log in, J100's Aquiring Service 5

[dsm600rr]

Hello All,

So we have a strange one here that we have tested for HOURS and cannot get remote J100's to log in.

So we have a Virtual Machine Running in a 11:11 Cloud, using TLS (no SBC) and NO IP SSL Certificates.

Remote Phones Log in OK on TCP

Remote Phones on TLS hang at "Logging in - Verifying Credentials" and then finally "Acquiring Service"

Avaya IX Workplace logs in fine on TLS

We tested phones both locally at the client, at out office and at home - all the same issues.

I can see the Remote Phone grabbing its files via Monitor.

We have quite a few other sites with the exact same setup and working fine. The ONLY difference we can see, is on this particular site, when we upgraded to R11.1.3.1 Build 34, Web Manager shows "Upgrade failed.: - Upgrade do stage failed to finish" - Of course Avaya says this is OK and to Ignore, however is it really?



ACSS / ACIS

 

[derfloh]

Description: Unknown CA

The remote phone doesn't have the correct CA certificate installed.

Ensure that WebRootCA.pem is the correct CA cert AND check that the phone downloads the file.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: Thanks for chiming in again and also all the help over the years. One day I will get this down.

So from my understanding, this is not working with the autogenerated WebRootCA.pem

So we took Richard10d (Thank you as well!) suggestions, added a 46xxspecials.txt with the one line of:

SET TLSSRVRID 0

That alone worked. Is this a good option as I see Avaya States:

"A setting of 0 does not disable verification of the certificate chain. It only disables verification of the identity in the server certificate." - So should we continue to deploy this way, or figure out the issue with the WebRootCA.pem?

If the answer is figure out the issue with the WebRootCA.pem, can someone possibly assist with: "I would merge all certificates in one file and place it in the IP Office file management as WebRootCA.pem"

Thanks again all!


ACSS / ACIS

 

[derfloh]

You should have the root and intermediate certificates from the CA that created your server certificate.

If you open your server certificate you will see who is the issuer and what intermediate/root certificates are needed.

Open the first issuer certificate (Secure Site CA in this example) with notepad.
Open the next certificate (DigiCert) and copy the whole content. Paste the content of this root certiicate below the content of the first certificate.

If you have more intermediate certificates add them as well but be aware the the order is the opposite than in the screenshot (issuer first next intermediate certificates, then root certificate).

Save the file as WebRootCA.pem and upload it to IP Office.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: Thanks again!

So if I navigate to the:
Security Settings > System > Certificates > View I get to a Similar View:

"Open the first issuer certificate (Secure Site CA in this example) with notepad": In my example, that would be the: "Vitalwerks Internet Solutions, No-IP TLS ICA". I am not seeing how to open the certificate with Notepad from the certificate pictured above. Only "View Certificate".

Shall I "View Certificate" and then "Copy to File"?

If so, what option here?

ACSS / ACIS

 

[dsm600rr]

I am also able to download and View:

ACSS / ACIS

 

[dsm600rr]

Bit of an update. Deleted the 46xxspecials.txt file with the "SET TLSSRVRID 0", now back to autogenerated and now I cannot get a phone to fail to test the new WebRootCA.pem

Got a new phone, cleared it and it logged in without any issues

Did a reboot of the IPO and the same

ACSS / ACIS

 

[derfloh]

Download the chain

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[Richard10d]

So, the current status is... it's working.. dang it. ?

If you cleared the phone, it should be downloading the chain and if it works then success...

Or did I miss something?

 

[dsm600rr]

derfloh: Perfect. Should I leave all 3 certs in the chain, rename it WebRootCA.pem and load that to the primary, or only the intermediates?

Richard10d: I took your advice first and modified a 46xxspecials.txt with the "SET TLSSRVRID 0" and the phones logged in. Perfect.

The issue came up with trying to get the phones to fail again to test out a modified WebRootCA.pem

No matter what I did, I could not get the phones to NOT log back in.

- I Deleted the modified 46xxspecials.txt, so we were back at the autogenerated
- I cleared the Phone
- I reboot the IPO

The phone just keeps logging back in, so kind of stuck here with testing the modified WebRootCA.pem

Do you persnally do one or the other, or both - in reguards to a 46xxspecials.txt file as well as the combined Intermediates WebRootCA.pem?

ACSS / ACIS

 

[derfloh]

Let the WebRootCA.pem contain the whole CA chain. Only the intermediate(S) and the root certificate.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: So download the PEM Chain, rename WebRootCA.pem and load to the primary folder?

Below is the Chain:

ACSS / ACIS

 

[derfloh]

Yes

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: Appreciate it!

ACSS / ACIS