I am trying to use TLS and SRTP for my extensions for a Vultr Hosted FreePBX install. This system has been running just fine for months now, D65 works great no issues. No Vultr firewall, just the FreePBX firewall.
I have had a Lets Encrypt cert setup since the initial install. I did assign that cert in PJSIP tab under TLS/SSL/SRTP Settings…
I then enabled TLS and SRTP in the Extension, did the rebuild config in EPM and rebooted the phone. I now have a yellow triangle in the top right corner and any call I try to make I get a “Invalid SIP TLS Certificate, Erro code 0x4000000022” error.
To add, Ive been using HTTPS Admin WEBGUI access with the LetsEncrypt cert for a while now without issue. I have the lock next to my FQDN in Chrome when accessing the FreePBX Admin GUI which says site is secure and valid certificate… So Im not sure why I am getting a Invalid TLS Cert error when trying to use the same LetsEncrypt cert for TLS phone extensions??
Ok, so to provide an update. I wanted to test further to see if this was isolated to this D65 or not. I setup a 2nd extension with TLS and SRTP… Added the extension in EPM>Extension Mapping, defaulted this S705 I have here, added its MAC to my Vultr hosted FreePBX Deployment in my Sangoma Portal and selected HTTPS, set the correct HTTPS port and rebooted the phone. Booted up, provisioned just fine and ECHO test and test calls work perfectly.
So this is definitely a bug with Digium/D65 phones and TLS/SRTP… D65 works 100% with HTTP and not TLS/SRTP…
It was released in 2016… Not that old. And it still receives firmware updates from FreePBX… IDK but I have a ticket open with support so I guess we will find out.
So while waiting to hear back on my ticket I did some more testing this morning with the D65. I figured it out and the D65 is now working perfectly with TLS and SRTP. ECHO test and external calls and extension to extension are all working great. I have the Shield next to my LINE (TLS) and I have the shield next to outgoing calls (SRTP).
You have to manually enter into the phone where for it to find the server to pull the config from… I was selecting “Digium configuration server” during phone boot up and it asks for Server IP, Port and Transport type… I was entering the public IP of my Vultr PBX install, my TLS Port and selecting TLS as the transport… Thats when I would get the invalid SSL cert error every time.
I didnt see initially, across the bottom of the screen on this Digium Configuration Server screen…there is a toggle button that says IP/Host… Because the SSL cert uses your FQDN, I assume thats why I was getting the invalid ssl error because I was using the IP, not the FQDN on the cert…(well that was half of it)…
I hit the IP/Host toggle button which changed the Server box up top to allow me to enter a host name instead of IP. I entered my FQDN, my TLS port and TLS as the transport and it would still give me an invalid ssl cert error but a different error code this time…
After continuing to look through all the settings I found on boot up menu… Option 5> Network Settings there is Option 6> Allow Dangerous Unsigned SSL Certificate-NO… Not sure why I would have to enable this since Im using a valid LetsEncrypt signed cert but… I changed that option to YES and boom. The phone provisions and works perfect… I have the Shield next to my LINE (TLS) and I have the shield next to outgoing calls (SRTP).
Checking the logs
100793 [2021-08-07 09:47:58] VERBOSE[16403] res_pjsip/pjsip_options.c: Contact 100/sip:[email protected]:37430;transport=TLS;ob is now Reachable. RTT: 90.803 msec
100794 [2021-08-07 09:48:18] VERBOSE[16403] netsock2.c: Using SIP RTP Audio TOS bits 184
100795 [2021-08-07 09:48:18] VERBOSE[16403] netsock2.c: Using SIP RTP Audio CoS mark 5
What a mess but at least I got it working now. The FreePBX EPM Digium phones saga continues…
To test further, I just added a DB20N base station to this Vultr Deployment with TLS AND SRTP using Sangoma redirect server again then registered the DB20 handset. Working perfectly with TLS and SRTP as well.
Now have the DB20N Base Station and Handset, S705 and D65 all working great with TLS/SRTP on this Vultr hosted Deployment.!!
Just a little update in case anyone has the same issue, but Support has been into my PBX and had me perform a bunch of testing and confirmed this is a bug with TLS/SRTP and D65. Everything works perfectly with Sangoma S705 and DB20N…
They have engineering looking into the bug. Ill update once I here back.
Found this out during a session with @defcomllc
D phones won’t accept SSL MethodDefault and phones will fail with errors like EISSUER_MISMATCH
EUNTRUSTED
We set the SSL Methodtlsv1_2 and phone provisioned nicely; S-phones did not complain about this change either.