DST Root CA X3 certificate has expired

wifx · November 29, 2022, 6:42pm

Hello,

I have several Yealink W60B phones that can’t connect using TLS.
I have the error: DST Root CA X3 certificate has expired

This is the latest firmware version: 77.85.0.25
On FreePBX 15 with the latest update.

I am using a Let’s Encryp certificate valid until 2023-02-27 (89 days), the Remove DST Root CA X3 option is enabled.

I have more than 300 extensions connected without problems on this server in TLS with other phone models.

Any idea?

billsimon · November 29, 2022, 8:32pm

That root expired 2021, see DST Root CA X3 Expiration (September 2021) - Let's Encrypt

If you are not able to get a Yealink firmware update that has the ISRG Root installed then you probably can’t use Letsencrypt for your FreePBX SIP TLS config. (but you could use it for the web server)

You can get a comodo cert for $11 for a year at namecheap.com. If you want to keep it free, zerossl.com but you have to manually renew and reimport this every 88 days because the FreePBX certificate manager only works with Letsencrypt.

wifx · November 29, 2022, 9:10pm

The firmware of this phone is supposed to have the correct root certificate according to Yealink!
In addition there are more than 300 extensions (in TLS) with different phone models that work very well with this certificate.

When I register this phone on a 3CX server in TLS with a Let’s Encryp certificate: no problem!
So there is a problem with FreePBX.

billsimon · November 29, 2022, 9:28pm

If there are 300+ extensions of other phone models that work correctly with that FreePBX TLS config, how are you concluding that the problem is with FreePBX?

The client logs (that is, the logs on the Yealink phones) should have more information to help troubleshoot.

wifx · November 30, 2022, 7:07am

When I register this phone on a 3CX server in TLS with a Let’s Encryp certificate: no problem!
When I register this phone on a FreePBX server : DST Root CA X3 certificate has expired.

In the phone log :

<131>Nov 29 07:33:52  sua [1427.1737]: NET <3+error > [255] verify error:num=10:certificate has expired:depth=3:/O=Digital Signature Trust Co./CN=DST Root CA X3
<131>Nov 29 07:33:52  sua [1427.1737]: NET <3+error > [255] X509_V_ERR_CERT_HAS_EXPIRED issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
<131>Nov 29 07:33:52  sua [1427.1737]: NET <3+error > [255] depth=3:/O=Digital Signature Trust Co./CN=DST Root CA X3
<131>Nov 29 07:33:52  sua [1427.1737]: NET <3+error > [255] depth=2:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
<131>Nov 29 07:33:52  sua [1427.1737]: NET <3+error > [255] depth=1:/C=US/O=Let's Encrypt/CN=R3
<131>Nov 29 07:33:52  sua [1427.1737]: NET <3+error > [255] depth=0:/CN=sbc.xxx.net
<131>Nov 29 07:33:53  sua [1427.1737]: NET <3+error > [255] Failed to verify remote certificate(skip the verification)
<131>Nov 29 07:33:53  sua [1427.1737]: NET <3+error > [255] SSL ERROR ZERO RETURN - SHUTDOWN

lgaetz · November 30, 2022, 12:13pm

In Asterisks SIP Settings there’s an option not to check certificate, have you tried that? Chan’s on this page may require an asterisk restart.

billsimon · November 30, 2022, 1:16pm

Could you also post the log of the phone connecting to 3cx w/Letsencrypt certificate?

wifx · November 30, 2022, 5:00pm

This is what I have in the log at the time of the connection, which despite these errors connects correctly:

<131>Nov 30 17:42:21  sua [1435.2098]: NET <3+error > [007] New binding with 185.xxx.xxx.84 5061
<131>Nov 30 17:42:21  sua [1435.2098]: NET <3+error > [255] verify error:num=20:unable to get local issuer certificate:depth=1:/C=US/O=Let's Encrypt/CN=R3
<131>Nov 30 17:42:21  sua [1435.2098]: NET <3+error > [255] X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
<131>Nov 30 17:42:21  sua [1435.2098]: NET <3+error > [255] verify error:num=27:certificate not trusted:depth=1:/C=US/O=Let's Encrypt/CN=R3
<131>Nov 30 17:42:21  sua [1435.2098]: NET <3+error > [255] X509_V_ERR_CERT_UNTRUSTED issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
<131>Nov 30 17:42:21  sua [1435.2098]: NET <3+error > [255] depth=0:/CN=xxxxxx.3cx.ch
<131>Nov 30 17:42:22  sua [1435.2098]: NET <3+error > [255] Failed to verify remote certificate(skip the verification)

Strange this difference in behavior …

wifx · November 30, 2022, 5:01pm

Verify Client is OFF
Verify Server ON

Should I set Verify Server OFF as well ?

billsimon · December 1, 2022, 2:27pm

but in your phone’s log,

<131>Nov 29 07:33:52  sua [1427.1737]: NET <3+error > [255] verify error:num=10:certificate has expired:depth=3:/O=Digital Signature Trust Co./CN=DST Root CA X3
<131>Nov 29 07:33:52  sua [1427.1737]: NET <3+error > [255] X509_V_ERR_CERT_HAS_EXPIRED issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
<131>Nov 29 07:33:52  sua [1427.1737]: NET <3+error > [255] depth=3:/O=Digital Signature Trust Co./CN=DST Root CA X3

so it looks as though the DST Root was not removed. Can you examine the certificate in /etc/asterisk/keys and see?

wifx · December 1, 2022, 4:31pm

I see the ISRG Root X1 and R3 in the CA-bundle, but no trace of the X3 in the directory.
I also checked the fullchain.crt file, no X3 either.

Tonight out of production time, I’m going to put a paid certificate, it’s super annoying. I hope it works afterwards

wifx · December 1, 2022, 8:29pm

Well, I have a new certificate, but still no success.
I think I just have to burn (to purify by fire) the telephones that have this error

<131>Dec  1 21:24:09  sua [1427.1776]: NET <3+error > [000] New binding with xxx.xxx.xxx.xxx 5061
<131>Dec  1 21:24:13  sua [1427.1776]: NET <3+error > [255] depth=2:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
<131>Dec  1 21:24:13  sua [1427.1776]: NET <3+error > [255] depth=1:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018
<131>Dec  1 21:24:13  sua [1427.1776]: NET <3+error > [255] depth=0:/CN=xxx.xxx.net
<131>Dec  1 21:24:14  sua [1427.1776]: NET <3+error > [255] SSL ERROR ZERO RETURN - SHUTDOWN
<131>Dec  1 21:24:14  sua [1427.1776]: NET <3+error > [255] EVP lib in (null) (null)
<131>Dec  1 21:24:14  sua [1427.1776]: DLG <3+error > [255] tls recv message failed, error_code[6]; socket:remote_ip[xxx.xxx.xxx.xxx], remote_port[5061]
<131>Dec  1 21:24:14  sua [1427.1776]: DLG <3+error > [255] ssl err detail[code_value: 0, str: error:00000000:lib(0):func(0):reason(0)]

Edit.
On the server, I have this error when connecting:

[2022-12-01 21:30:12] WARNING[20801]: pjproject: <?>:                      SSL SSL_ERROR_SSL (Read): Level: 0 err: <218910881> <asn1 encoding routines-ASN1_item_verify-unknown message digest algorithm> len: 65535 peer: 172.16.0.63:11880
[2022-12-01 21:30:15] WARNING[20801]: pjproject: <?>:                      SSL SSL_ERROR_SSL (Read): Level: 0 err: <218910881> <asn1 encoding routines-ASN1_item_verify-unknown message digest algorithm> len: 65535 peer: 172.16.0.63:11881
[2022-12-01 21:30:23] WARNING[20801]: pjproject: <?>:                      SSL SSL_ERROR_SSL (Read): Level: 0 err: <218910881> <asn1 encoding routines-ASN1_item_verify-unknown message digest algorithm> len: 65535 peer: 172.16.0.63:11882
[2022-12-01 21:30:31] WARNING[20801]: pjproject: <?>:                      SSL SSL_ERROR_SSL (Read): Level: 0 err: <218910881> <asn1 encoding routines-ASN1_item_verify-unknown message digest algorithm> len: 65535 peer: 172.16.0.63:11883
[2022-12-01 21:30:39] WARNING[20801]: pjproject: <?>:                      SSL SSL_ERROR_SSL (Read): Level: 0 err: <218910881> <asn1 encoding routines-ASN1_item_verify-unknown message digest algorithm> len: 65535 peer: 172.16.0.63:11884

system · January 1, 2023, 8:29pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.