Changed the pjsip SSL method to tls1_1 and then to default (TLSv1). The extension didn’t register in either of the two cases and the same errors were shown by the PBX.
My interpretation is that during the initial TLS handshake, pjsip received an alert from the SPA indicating that the SPA did not recognize the CA that signed the server’s certificate.
That’s consistent with my interpretation of the (truly awful) admin guide, which implies that the only built-in CA certificate is Cisco’s, so you would need a custom CA to use a standard cert. However, it’s inconsistent with:
I can think of several possibilities: You set up the server cert with a Cisco signing tool. EPM, behind the scenes, provisioned the SPA with a custom CA. You manually set up a custom CA but forgot. The SPA used to support ‘regular’ CAs but doesn’t anymore. Do any of these make sense?
In any case, I recommend that the OP set up a custom CA and confirm that it shows in Custom CA Info.
I can’t see how that could work, because the LE site is HTTPS only and the SPA won’t accept it because it doesn’t recognize the CA (catch 22). Download the cert to a local system, make it available by TFTP or HTTP, confirm (in your local log) that the SPA actually fetched it, then check its Custom CA Status.
My feeling is also that I should provide a path to the CA since I use a FreePBX implementation configured to use certificates signed by Let’s Encrypt. The SPA never gave me the opportunity to accept any certificate so I guess I need to provision it manually.
Which certificate should I point to from this list?
No, when using a proper and public TLS cert you just need to set the device up to use the TLS settings and tell the device to use TLS/secure calling. That’s it. Just like a web browser you connect to the server and the server has the TLS cert to be dealt with.
I understand that TLSv1.2 may not be supported given that the last firmware for SPA112 was released two years ago but this doesn’t explain why TLSv1.1 or even v1 aren’t working. I think @Stewart1 has a point when proposing to:
Download the cert to a local system, make it available by TFTP or HTTP, confirm (in your local log) that the SPA actually fetched it, then check its Custom CA Status.
I’ll set up a web server with lighttpd, put the certificates there and point the SPA112 to take them from there.