PJSIP TLS with Let's encrypt on Yealink T46S

Anyone got PJSIP TLS working on the Yealink T46S after the recent changes to Let’s encrypt/cert management module?

Freepbx 15 - all modules updated including certificate management 15.0.48
Asterisk 16.6.2

TLS works on Sectigo with no issues. But, I have been having problems with Let’s encrypt. I upload the cert in Trusted certificates in the Yealink T46S and it works with Sectigo but not with Let’s encrypt.

SSL SSL_ERROR_SSL (Read): Level: 0 err: <218910881>

If anybody has made it work, kindly provide tips. Did you use Remove DST Root CA X3 or not?


SSL SSL_ERROR_SSL (Read): Level: 0 err: <218910881>

Not sure if this was working before Let’s encrypt DST Root CA X3 certificate expiry. This is my first time trying TLS with Let’s encrypt on the yealink.

Yealink T46S is on the latest firmware

Use the Let’s Encrypt app to generate it’s own certificate while using the good working sectigo for the Yealink phones. Are you using EPM for phone management or no?

I am using EPM for phone management.

Last night, I did some pending system updates on the system to see if that would make TLS work on the Let’s encrypt. That included some updates to openssl package. The client wants to use Let’s encrypt instead of Sectigo. That’s the reason I am trying to make it work with Let’s encrypt.

Now after the updates, it does not work even on the sectigo.

Same error: asni1 encoding routines/verify unknown message digest algorithm. Some old related tickets/posts on similar problems given below.


I just want to find out if anyone got this working with some manual interventions or not.

Another unrelated question: Could I just make one endpoint UDP and the second endpoint TLS on the PJSIP? I am thinking if I could just configure the transport as “Auto” in the extension settings, I could register one endpoint with UDP and the second endpoint with TLS. Since, the media encryption is setting is common for both endpoints, if I configure that as SRTP, I guess I could make the UDP endpoint work with SRTP as SRTP can be used with any transport.

I was able to get Let’s Encrypt to handle all of my TLS, including hard endpoints and VPN.

You’ll have to make sure your Let’s Encrypt module has port 80 access (Check in Firewall) and also double check to make sure you have DNS servers listed in System Admin → DNS. Next, delete the old certificates in your Certificate Management. Next, Click on Generate Let’s Encrypt Certificate. You’ll fill out a bunch of fields. Once your certificate generates, you should see a confirmation. While in Certificate Management, make sure this newly generated certificate is the System Default by clicking in the Default column next to the certificate’s name.

In Terminal, issue fwconsole restart to restart freepbx and all associated modules.

Once your PBX has restarted, you’ll have to go into EPM and rebuild the config for each user since they are using a new certificate. Save, rebuild and restart all devices after applying.

On your extra question, use SRTP TLS for your pjsip extensions, no exception. Opportunistic SRTP is available but it causes problems when using pjsip in my experience.

I have done all of the above with no success. Have you tried this on a yealink? If so, which model? And what ssl method did you use?

If this does not work, I am planning to use UDP for the yealink as it is local to the PBX and make the remote extension TLS. Both endpoints would use SRTP.

I forgot to mention that I did not have to remove the DST X3 on the LE cert for my YeaLink SIP-T20P to connect via TLS.

In Settings —> Asterisk SIP Settings, click the chan_pjsip settings and verify under TLS/SSL/SRTP that the LE cert is selected next to Certificate Manager, verify SSL is set to tlsv1_2 and turn off verify client and verify server.

Next, verify your LE certificate is your HTTPS default by going to Sysadmin → HTTPS Setup. Go to the Settings tab and Select your LE cerificate in the drop-down menu. Next, make sure the list looks like this:

If you verify the LE certificate is functioning, securing traffic and all, verify that your phone is connecting to the proper HTTPS provisioning port (sysadmin-Port Management). After you make any changes to anything related to how traffic is transported, your configs for each phone have to be saved, rebuilt and the phone re-provisioned for the changes to take affect.

I guess since you had verify server as No, you did not upload the certificate in trusted certificates on the yealink.

Let me try this for the ssl method tlsv1_2. I had that as default. And mine is a T-46S. Not sure if that makes a difference.

I did still upload the certificate to the trusted certificates on the phone.

Well, I got it working with both Sectigo and Let’s encrypt. It was not the ssl method. The thing that solved this was tweaking the parameters “Only Accept Trusted Certificates” and “CA Certificates” on the Yealink.

Kevin, I appreciate all the details provided by you. It was useful to know that TLS works on the Yealink and that I was doing rest of the config correctly.

Glad to know I helped, even if I didn’t…

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.