Yealink T4XG phones will not talk to FreePBX 14 over HTTPS
-
@jaredbusch said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@brianlittlejohn said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@jaredbusch yes, but this weekend since it is my production system.
I suspect it is all about the LE process since your GoDaddy cert has no issues. But that would be the only other difference to verify.
see you say that, but there was no issue with FreePBX 13... LE worked just fine. just weird.
-
@dashrender said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@jaredbusch said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@brianlittlejohn said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@jaredbusch yes, but this weekend since it is my production system.
I suspect it is all about the LE process since your GoDaddy cert has no issues. But that would be the only other difference to verify.
see you say that, but there was no issue with FreePBX 13... LE worked just fine. just weird.
But LE relies on base OS packages that may have changed something.
-
@brianlittlejohn said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@jaredbusch Yea, I can't think of anything else that would cause it either... I haven't upgraded any of the systems that i used LE on to 14 yet to try them.
I found a GoDaddy cert at a client that had a SAN that we were no longer using right now. SO I updated that DNS to point to my test PBX instance and loaded that cert onto my PBX. I changed the active certificate in SysAdmin and told the phone to provision to the new DNS name and it immediately provisioned.
So the problem is definitely the LE cert or cert process.
-
@jaredbusch said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@brianlittlejohn said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@jaredbusch Yea, I can't think of anything else that would cause it either... I haven't upgraded any of the systems that i used LE on to 14 yet to try them.
I found a GoDaddy cert at a client that had a SAN that we were no longer using right now. SO I updated that DNS to point to my test PBX instance and loaded that cert onto my PBX. I changed the active certificate in SysAdmin and told the phone to provision to the new DNS name and it immediately provisioned.
So the problem is definitely the LE cert or cert process.
I wonder if one of the intermediary certs for LE from Cent OS 7 that FreePBX is rolling?
-
@jaredbusch said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@brianlittlejohn said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@jaredbusch Yea, I can't think of anything else that would cause it either... I haven't upgraded any of the systems that i used LE on to 14 yet to try them.
I found a GoDaddy cert at a client that had a SAN that we were no longer using right now. SO I updated that DNS to point to my test PBX instance and loaded that cert onto my PBX. I changed the active certificate in SysAdmin and told the phone to provision to the new DNS name and it immediately provisioned.
So the problem is definitely the LE cert or cert process.
We at least know where the issue is now.
-
@dashrender said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@jaredbusch said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@brianlittlejohn said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@jaredbusch Yea, I can't think of anLE ything else that would cause it either... I haven't upgraded any of the systems that i used LE on to 14 yet to try them.
I found a GoDaddy cert at a client that had a SAN that we were no longer using right now. SO I updated that DNS to point to my test PBX instance and loaded that cert onto my PBX. I changed the active certificate in SysAdmin and told the phone to provision to the new DNS name and it immediately provisioned.
So the problem is definitely the LE cert or cert process.
I wonder if one of the intermediary certs for LE from Cent OS 7 that FreePBX is rolling?
Except I have specifically loaded the full LE cert and chain into the certificates section of the phone and it still failed. So just having everything on the phone is not enough to resolve.
-
@jaredbusch said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@dashrender said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@jaredbusch said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@brianlittlejohn said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@jaredbusch Yea, I can't think of anLE ything else that would cause it either... I haven't upgraded any of the systems that i used LE on to 14 yet to try them.
I found a GoDaddy cert at a client that had a SAN that we were no longer using right now. SO I updated that DNS to point to my test PBX instance and loaded that cert onto my PBX. I changed the active certificate in SysAdmin and told the phone to provision to the new DNS name and it immediately provisioned.
So the problem is definitely the LE cert or cert process.
I wonder if one of the intermediary certs for LE from Cent OS 7 that FreePBX is rolling?
Except I have specifically loaded the full LE cert and chain into the certificates section of the phone and it still failed. So just having everything on the phone is not enough to resolve.
Right, it's not the phone side. When I installed a godaddy cert on an exchange server a while ago, I had to install new intermediate certs on the exchange server, not the clients, to keep the clients happy with the new cert on the exchange server.
So I wonder if a cert is missing on the server side, something that the older phones are looking for.
I'll fully admit I don't understand the flow here, the need for intermediate certs anywhere but the actual cert servers themselves - but I recall having to do this in the past, so I'm mentioning it in case it's needed here.
This would also seem to explain why it worked in Cent OS 13, but not 14, if either Cent OS people or FreePBX folks removed some intermediate cert for version 14.
-
Have you had a renewal for the LE Cert since you updated to 14?
-
@brianlittlejohn said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
Have you had a renewal for the LE Cert since you updated to 14?
Yes. I have also tested against another non upgraded FreePBX 14 as well as now spinning up a test system.
-
Sorry to resurrect an old thread
@JaredBusch Did you ever get the phones to talk to the pbx (Freepbx 14) via https using the Let's Encrypt certs?
-
@romo said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
Sorry to resurrect an old thread
@JaredBusch Did you ever get the phones to talk to the pbx (Freepbx 14) via https using the Let's Encrypt certs?
Not the T4X G models. The S models work just fine.
Yealink wanted me to be their free tech support to collect all the packet captures and such. Screw that.
-
@JaredBusch I cannot get the T42S to talk to the pbx using https. I had to use http after reading your thread on the FreePBX forum and it started working. Hadn't even realized your trouble was only for the G models.
-
@romo said in Yealink T4XG phones will not talk to FreePBX 14 over HTTPS:
@JaredBusch I cannot get the T42S to talk to the pbx using https. I had to use http after reading your thread on the FreePBX forum and it started working. Hadn't even realized your trouble was only for the G models.
I have a T42S working just fine. Also a T46S.
Is your firmware up to date?
-
@jaredbusch They are running 66.83.0.30
-
@jaredbusch I can reach https://my-pbx-url.com:1443 manually just fine, but the phones don't seem to even try to reach the URL and once I change to HTTP and its port the phones download the config file just fine.
-
I’ve been on vacation and I’m on the road all day today and tomorrow but I will look at that I will actually be in an office that I have the S model and I can test that
-
@jaredbusch Great thank you =), enjoy the rest of your vacations.
-
and an update.... if you use
certbotinstead of the built in certificate manager module to generate the LE certificate, everything works as expected..........So Sangoma has something different in their implementation of Let's Encrypt.
The Sangoma implementation works fine in every browser I have ever touched. It has strictly been the Yealink phones that refuse to work right.
But I just installed
certboton my FreePBX 14 system, generated a new cert, and then copied the cert and key into Certificate Manager's "import" location. Imported the cert and made it active in apache and everything works. -
@JaredBusch wow, that is seriously weird.
