Phones using EPM asking for login after recent update

I’m having an issue that I’ve been fighting for a few days with no success. A customer reported that their phones starting showing “HTTP(S) ID/PW CONFIG” windows, with a Username and Password prompt. Dismissing the window let the phone work fine otherwise, but the message would come back after a little while.

The FreePBX install is a VM at Vultr running 15.0.17.48. They use option 66 to register to the PBX using https, although I’ve since noticed that the templates were switching them to http. The phones had all been working fine for four months since original install and there were no recent phone nor network changes. Over the weekend, the PBX ran automated module updates: api, backup, cel, certman, core, digiumaddoninstaller, endpoint, filestore, findmefollow, firewall, framework, pm2, restapps, sangomaconnect, sipstation, sysadmin, vmblast, voicemail, webrtc. That’s when the problem started.

The phones are Grandstream GXP-2170s. The phone was originally running 1.0.11.10; during testing, I upgraded it to the latest, 1.0.11.39, but that didn’t help.
I have factory reset the phone many time; the message always comes back. I’ve tried switching between all-https and all-http. (SSL is via Let’s Encrypt and is valid until October, so that shouldn’t be a problem; it’s fine on the web interface.) I’ve taken a new phone out of the box and tried to connect it and it also got the prompt.

I tried downgrading endpoint and sysadmin to the pre-update versions, but that didn’t help. (For the record, during the weekend update, endpoint went from 15.0.39.93 to 15.0.41 and sysadmin went from 15.0.21.72 to 165.0.21.75.) I’ve tried disabling all unused commercial modules (such as phone apps) in case they were triggering the prompt. We do NOT use Sysadmin Pro; I know it’s possible to change provisioning passwords in there, but we haven’t done anything like that. The PBX is a pretty simple configuration; nothing exotic.

Attempting to sign in at the phone prompt fails every time and promptly puts our IP address in the apache-tcpwrapper jail.
The Apache logs show it trying to connect:
[Thu Aug 26 13:20:41.591114 2021] [auth_basic:error] [pid 21045] [client (our IP address):37137] AH01618: user 102 not found: /cfgc074ad2ab060.xml
…with other XML files listed afterwords. So I’m really not sure what it’s trying to log into. It does register fine using 102 as an extension, it’s only this additional window that’s the problem.

My suspicion is that one of the updates added some sort of authentication request somewhere and downgrading left that in its place, but I can’t find anything. The only changes in the basefile are for specifying the location for weather.

Any suggestions would be greatly appreciated! Thank you!

When EPM updates, it does not rebuild the templates. Or at least it never has in the past.

Do you know when templates were rebuilt last?

Some additional info. I set up syslog and captured the logs from the phone as it booted and found this:
GXP2170_PROVN: USER.INFO [mac addr][1.0.11.39] : setup image source type net|
GXP2170_PROVN: USER.INFO [mac addr][1.0.11.39] : another response 401|
GXP2170_PROVN: USER.INFO [mac addr][1.0.11.39] : could not download http://(PBX URL):84/cfg(mac addr).xml (No error)|
GXP2170_PROVN: USER.INFO [mac addr][1.0.11.39] : unable to download config data|
GXP2170_PROVN: USER.INFO [mac addr][1.0.11.39] : config update not completed|

and several variations of that. If I try the URL in a web browser, it does prompt for authentication. The phone should have the correct authentication info already since it’s registering fine, but it’s not able to use those for downloading configs/firmware apparently, though it does get the configuration, with BLF setup, etc.

These probably hadn’t been re-setup for a couple months but there had been no changes that I’d made. The templates did all show that they hadn’t been rebuilt since the latest changes (yellow background), I’m guessing that’s because of the EPM update?

As part of testing, I did rebuild the templates several times, and alternated between a couple different templates - the normal one it had and a testing one that included a firmware update, which had been working when I had set it up, a couple months ago. The templates are otherwise identical and the phone gets the prompt with both templates.

Can you please upgrade sysadmin module to the latest edge i.e. v15.0.21.78 and then perform Sysadmin -> port management -> submit (without any changes) . This will fix the HTTP username/password prompt.

It is a one time $25 charge. This seems silly if you are willing to by EPM and spend $26/year to keep it updated.

This is not the apache log. Look here: tail -f /var/log/httpd/access_log
You should see stuff like this.

Edit: Or what @kgupta1 said…

Bad QA again?

1 Like

I have nothing against Sysadmin Pro, but we haven’t seen a need for its features. It might be nice to make mail configuration easier but I’ve had no problem setting that up in SSH.

The log I quoted is an Apache log: the error_log. The log you quoted is the access_log.

Thanks! That did fix it. I find it a bit surprising that I haven’t seen any other mention of this in the support forums, surely we’re not the only ones in this situation.

I did a phone reboot and it still looked OK. I did a factory reset and it didn’t provision thoroughly; I just got the first two buttons, not the full BLF configuration that it had before. I’ll look and see if there’s some other setting that got messed up, but this was working OK before updating sysadmin.

Now that sysadmin is updated, can I safely turn the Edge track back off in Advanced Settings? This is a production box and I’d rather keep it in the standard module updates.

Now to clean up all the settings I fiddled with in my days of troubleshooting…

False alarm on the missing BLFs; that was a template issue.

In checking that, I did roll back to sysadmin 15.0.21.72, factory reset the phone again, and it was fine, with no login prompt.

I updated to 15.0.21.75 again (the one that caused the problems in the first place), and the prompt has not reappeared. So it looks like the fix is re-applying the ports on the Port Management page, going to the edge .78 release may or may not be necessary.

I’ve also switched DHCP and the templates back to full https and factory reset the phone again, and all is still well.

I just encountered none of my yealink phones provisioning because the password was wrong and yealink did some sort of RPS upgrade recently that knocked them off. This was pretty frustrating but it was our own system that we have setup on automatic updates to find and ward off this type of issue before it affects any clients.

I found I could just set an .htaccess style password in /etc/httpd/provis.http.auth
For instance user “stop” with password: “askingformoremoney” would be sha1:
stop:{SHA}emaiXmImBocrRSYNnZjovpJBNCg=
OR md5:
stop:$apr1$b4v1l7tj$wP8nYR/2OuInYvyYCC/QX.
Please generate your own .hataccess username and password using an online generator and do not use this one.

This allowed me to re-provision again all the phones after the latest freepbx updates.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.