Yealink T4XG phones will not autoprovision over HTTPS with FreePBX 14

sorvani · October 5, 2017, 9:56pm

Not using Endpoint Manager

Using a T46G: I have the following files y000000000028.cfg and 001565649346.cfgin /tftpboot
Using a T42G: I have the following files y000000000029.cfg and 00156565fb3c.cfg in /tftpboot

New install FreePBX 14 is setup with a valid LE cert
New install FreePBX 13 is setup with a valid LE cert
Upgraded FreePBX 13 to FreePBX 14 install is setup with a valid LE cert

Phones are on a network listed as trusted.

SysAdmin Port Management is configured as pictured in all three systems:

On the FreePBX 13 system I can enter https://pbx.domain.com:1443 into the Yealink phones and they will auto provision nearly instantaneously.

On both of the FreePBX 14 systems when I enter https://pbx.domain.com:1443 it does nothing.
On both of the FreePBX 14 systems when I enter http://pbx.domain.com:84 they respond much slower than the FreePBX 13 system, but the phones do eventually autoprovision.

sorvani · October 5, 2017, 9:59pm

From a computer on the same network I can use a browser and open all of the listed config files.

https://pbx.domain.com:1443/y000000000028.cfg
https://pbx.domain.com:1443/001565649346.cfg
https://pbx.domain.com:1443/y000000000029.cfg
https://pbx.domain.com:1443/00156565fb3c.cfg

sorvani · October 5, 2017, 10:01pm

An additional, likely related note, I cannot access phonebook.xml manually placed in /var/www/html from the phones. Again this works on the FreePBX 13 instance, but not the FreePBX 14 instances. Again it is available via URL in my browser.

https://pbx.domain.com/phonebook.xml

tonyclewis · October 6, 2017, 12:57am

Since you can access them from your local computer that woild.mean it’s not a PBX issue but something to do with your phones not FreePBX but your apache logs would verify that for you.

Marbled · October 6, 2017, 1:18am

Hi!

Who is the CA (Certificate Authority) on the certificate you use for HTTPS? Is there any possibility it is not recognized by the phones?

Is it self-signed?

Good luck and have a nice day!

Nick

Dashrender · October 6, 2017, 1:00pm

New install FreePBX 14 is setup with a valid LE cert
New install FreePBX 13 is setup with a valid LE cert
Upgraded FreePBX 13 to FreePBX 14 install is setup with a valid LE cert

He’s using Let’s Encrypt certs.

Marbled · October 6, 2017, 2:06pm

Oops, you are right, I missed this… I guess that`s what happens when you have a lot of other things on your mind…

I guess if the firmware on those phone is too old it might not have the Let’s Encrypt CA in it in which case the firmware would need to be updated or that CA manually added to the trusted CA list.

According to this:

http://download.support.yealink.com/download?path=upload%2Fattachment%2F2017-6-27%2F3%2F783c6fbf-42e3-4da1-8bfe-67ee220e3a88%2FUsing%20Security%20Certificates%20on%20Yealink%20IP%20Phones_V81_72.pdf

on page 16 the firmware must not be earlier than X.80.0.95 to support Let’s Encrypt…

If the firmware cannot be updated for some reason the first few pages of that PDF explain how to add trusted certificates…

Good luck and have a nice day!

Nick

sorvani · October 6, 2017, 2:26pm

The same phone with the same firmware works on FreePBX 13 with the LE cert.

Tested with firmware 81.0.20, 81.0.110 (I think), and 82.0.20 (current).

Marbled · October 6, 2017, 2:35pm

Hi!

Ok…

Is there anything interesting in your HTTP server logs?

I guess ultimately what could be interesting is to compare the configuration files System Admin Pro produced on both system to see if something seems to be missing in the FreePBX 14’s produced ones…

(Hopefully things didn’t change much on that level between both versions…)

Good luck and have a nice day!

Nick

sorvani · October 6, 2017, 3:31pm

looking for the logs, I cannot find anything. when a valid system hits, I can see it in access_log.

The ssl_error log is empty and has been since 2016.

The only thing I see in access_log is repeated timeouts when I tell the phone to provision with https

64.53.188.39 - - [06/Oct/2017:10:29:17 -0500] "-" 408 - "-" "-"
64.53.188.39 - - [06/Oct/2017:10:29:46 -0500] "-" 408 - "-" "-"
64.53.188.39 - - [06/Oct/2017:10:30:16 -0500] "-" 408 - "-" "-"
64.53.188.39 - - [06/Oct/2017:10:30:45 -0500] "-" 408 - "-" "-"

sorvani · October 6, 2017, 3:32pm

[root@pbx ~]# ls -l /var/log/httpd
total 46104
-rw-r--r--  1 root root  6784013 Oct  6 10:31 access_log
-rw-r--r--  1 root root   101243 Sep 11 03:24 access_log-20170911
-rw-r--r--  1 root root   908614 Sep 17 03:23 access_log-20170917
-rw-r--r--  1 root root  1014085 Sep 25 09:25 access_log-20170925
-rw-r--r--  1 root root 38078761 Oct  1 03:37 access_log-20171001
-rw-r--r--  1 root root     2742 Oct  5 10:05 error_log
-rw-r--r--  1 root root    12883 Sep 11 03:47 error_log-20170911
-rw-r--r--  1 root root     8360 Sep 17 06:59 error_log-20170917
-rw-r--r--  1 root root     3305 Sep 25 09:29 error_log-20170925
-rw-r--r--  1 root root     1587 Oct  1 03:37 error_log-20171001
-rw-r--r--  1 root root        0 Oct 16  2016 ssl_access_log
-rw-r--r--. 1 root root    21393 Oct  2  2016 ssl_access_log-20161002
-rw-r--r--  1 root root    59064 Oct  9  2016 ssl_access_log-20161009
-rw-r--r--  1 root root     8669 Oct 10  2016 ssl_access_log-20161016
-rw-r--r--  1 root root        0 Oct 16  2016 ssl_error_log
-rw-r--r--. 1 root root    10997 Oct  2  2016 ssl_error_log-20161002
-rw-r--r--  1 root root    14011 Oct  9  2016 ssl_error_log-20161009
-rw-r--r--  1 root root     1947 Oct 10  2016 ssl_error_log-20161016
-rw-r--r--  1 root root        0 Oct 16  2016 ssl_request_log
-rw-r--r--. 1 root root    23391 Oct  2  2016 ssl_request_log-20161002
-rw-r--r--  1 root root    69536 Oct  9  2016 ssl_request_log-20161009
-rw-r--r--  1 root root     9621 Oct 10  2016 ssl_request_log-20161016

sorvani · October 6, 2017, 3:33pm

The ciphers and other settings in ssl.conf match between FreePBX 13 and FreePBX 14.

sorvani · October 6, 2017, 3:42pm

I change the autoprovision to http://pbx.domain.com:84

and boom.

64.53.188.39 - - [06/Oct/2017:10:40:56 -0500] "GET /001565649346.boot HTTP/1.1" 404 215 "-" "Yealink SIP-T46G 28.82.0.20 00:15:65:64:93:46"
64.53.188.39 - - [06/Oct/2017:10:40:56 -0500] "GET /y000000000000.boot HTTP/1.1" 404 216 "-" "Yealink SIP-T46G 28.82.0.20 00:15:65:64:93:46"
64.53.188.39 - - [06/Oct/2017:10:40:56 -0500] "GET /y000000000028.cfg HTTP/1.1" 200 10433 "-" "Yealink SIP-T46G 28.82.0.20 00:15:65:64:93:46"
64.53.188.39 - - [06/Oct/2017:10:40:58 -0500] "GET /T46-28.82.0.20.rom HTTP/1.1" 200 23234624 "-" "Yealink SIP-T46G 28.82.0.20 00:15:65:64:93:46"
64.53.188.39 - - [06/Oct/2017:10:41:02 -0500] "GET /001565649346.cfg HTTP/1.1" 200 4421 "-" "Yealink SIP-T46G 28.82.0.20 00:15:65:64:93:46"

sorvani · October 6, 2017, 4:53pm

Even thought the phone is on firmware X.82.0.20,

I grabbed the certs from the PBX and put them in the phone. It makes no difference.

sorvani · October 6, 2017, 4:56pm

I also disabled the security validations

Marbled · October 6, 2017, 6:04pm

Hi!

Are they in the same subnet? If they are, do they have matching subnet masks (I once saw pretty weird problems caused by this…).

Good luck and have a nice day!

Nick

sorvani · October 6, 2017, 6:22pm

No, The phones are in my office, the PBX (all three examples) is hosted on Vultr in the Chicago Datacenter.

sorvani · October 6, 2017, 9:43pm

Where are the logs that should be recording failures? The ssl logs (both ssl_access_log and ssl_error_log) are empty as shown above.

tonyclewis · October 7, 2017, 1:38am

If they are empty that would appear the phone is not reaching the PBX. Look at your phone logs.

Marbled · October 7, 2017, 1:41am

Have you looked at your firewall logs both on the PBX and at your location…

That timeout thing logged in Apache’s logs bugs me, it sounds like the PBX might be unable to talk back to the phone…

Good luck and have a nice day!

Nick