Reoccurring certificate warnings on phones 2

[thubley]

This is for an IPO running 11.1.1.0.0 with 9608 desk phones.

We have been having a minor issue at a customer site where their phones will display a warning about an expired certificate. We've tried regenerating (and rebooting) but the error always seems to return. The cert itself isn't showing as expired and I'm running out of ideas as to how to fix this.

I've gone so far as update the 46xxsettings so that it does not display certificate expiration warning messages (this worked for a few months but recently seems to have stopped)

This is the cert in question:

Old photo from a phone with the message:

I'm hoping someone far smarter than me will have idea as to what exactly I've missed to resolve this. Any ideas?

 

[derfloh]

The phone time is year 2023 but the certificate's validity starts in 2024. So from the phone's point it view it is out of the valid time range. Probably no evermore thought of the option that a certificate could begin to be valid in the future and so the message is that it is expired.

Ensure that your IPO has a valid and working time source.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[tlpeter]

I see you have called me? ow that was last year

BAZINGA!

I'm not insane, my mother had me tested!

 

[budbyrd]

The post states that it is an older photo so the date may not be the issue.

Dermis and feline can be divorced by manifold methods.*
*(Disclaimer for all advise given)--'Version Dependent'

 

[thubley]

The phone time is year 2023 but the certificate's validity starts in 2024. So from the phone's point it view it is out of the valid time range. Probably no evermore thought of the option that a certificate could begin to be valid in the future and so the message is that it is expired.

Ensure that your IPO has a valid and working time source.

That is an old photo - just to show an example of the message. The certificate has been regenerated multiple times since it was taken.

The IPO is using pool.ntp.org as a time service. Time on the phones is always correct to local time.

 

[sizbut]

That is an old photo - just to show an example of the message." - Still not a good example. That certificate was within 60-days of expiring, which is within the period when the IP Office starts sending out warnings.

Perhaps you'll share more current information about the current certificate and the current warning.

And more importantly, don't edit the 46xxsettings.txt file, use the 46xxspecials.txt if you really need to change things. Letting the IP Office auto-generate the 46xxsettings.txt file is usually more reliable as the IP Office automatically changes the auto-generated file to match changes in the system configuration.

Stuck in a never ending cycle of file copying.

 

[thubley]

Perhaps you'll share more current information about the current certificate and the current warning.

The certificate pictured is current. I'll try and get a current photo of the warning. I work remotely from this IPO so I can't just walk up to a phone myself to get that.

And more importantly, don't edit the 46xxsettings.txt file, use the 46xxspecials.txt if you really need to change things. Letting the IP Office auto-generate the 46xxsettings.txt file is usually more reliable as the IP Office automatically changes the auto-generated file to match changes in the system configuration.

I realize this, but that was the only way a few months ago I got any progress in getting rid of that warning and was based off of this post.

 

[derfloh]

So maybe it is just an expired CA certificate

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[thubley]

Here is a current photo of the warning on a phone:

The cert I thought is referenced in it is the one in the original post - which, again, has been regenerated, IPO rebooted and phones rebooted several times now. We first got reports of this issue November last year. In January, I thought I had found a fix adding SET CERT_WARNING_DAYS 0 to 46xxsettings. Phones started having the warning again end of May. The message can be cleared but it comes back. Its not the same phones each time the issue occurs (as in the extensions reported back in November are not the same as the ones reported now) and when it is occurring, the same extensions seem to get the message again and again.

Here is all the trusted cert store:

DigiCert SHA2 - Valid from 2013-03-08 to 2023-03-08
DigiCert - Valid from 2006-11-09 to 2031-11-09
ISRG - Valid from 2015-06-04 to 2035-06-04
GTS R1 - Valid from 2016-06-21 to 2036-06-21
GTS R2 - Valid from 2016-06-21 to 2036-06-21
Entrust - Valid from 2015-10-05 to 2030-12-05
(not pictured) SIP Product Certificate Authority - Valid from 2003-07-24 to 2027-08-07

The only suspicious one to me is the DigiCert SHA2 one, but we didn't start getting reports of this problem until November 2023.

I really am hoping someone can spot the really stupid thing I am overlooking.

 

[Westi]

the certificate you are looking for is the selfsigned certificate over top of the screen you posted. You see the issuer is your systems MAC address .avaya....

You need to recreate that and then a reboot on the phone should be resolving it until it expires again which depends on your system release.

Joe
FHandw, ACSS, ACIS

https://www.millsidetc.com/

 

[thubley]

To be clear, do you mean this cert?

Cause I've regenerated that one several times. I must be misunderstanding your advice.

 

[Westi]

That is the one I meant. Check the expiry via the view option.
If that is valid then the phones are not grabbing the new certificate.

Joe
FHandw, ACSS, ACIS

https://www.millsidetc.com/

 

[thubley]

That's showing as valid from 2024-01-07 to 2026-04-11 so I guess the phones aren't grabbing the new certificate, which helps as an understanding of the problem but I'm not sure how to resolve that.

 

[derfloh]

If you browse to IP Office with your browser https:<ip> and check the certificate information, what date of exiration do you see there? And compare the serial number of the certificate with the one in the phone display.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[thubley]

The date of expiration is the same as pictured and previously stated. The serial number on the certificate doesn't match though and I'm not sure why or how to resolve that.

 

[NYSTECH]

Just a shot in the dark but, have you tried factory defaulting/ clear the phones?

 

[thubley]

Not a bad shot in the dark - it's something I've considered as well but haven't done as it seemed like a bit of an extreme solution to a problem that so far has been more annoying and confusing rather than truly detrimental.

I can certainly could give that a try.

 

[Ekster]

We have found if a certificate expires before you update it, the phones will not pick it up, they error out on the old expired certificate and will need defaulting to clear it out. Once they have the old cert cleared out they will pick up the new one.

This also applies if one of the trusted root certificates expire too, you need to make sure they are all up to date before clearing the phones. The DigiCert SHA2 certificate on our system expires in 2030, so i would make sure that is up to date too.

“Some humans would do anything to see if it was possible to do it.
If you put a large switch in some cave somewhere, with a sign on it saying 'End-of-the-World Switch. PLEASE DO NOT TOUCH'.
The paint wouldn't even have time to dry.”

Terry Pratchet