Sangoma S500 Lets Encrypt Failing Validation

About a week ago I switched my SSL certificate to one issued via the automated tool for Lets Encrypt. Today, I did a yum update to bring my FreePBX 64-bit distro to 10.13.66-19 - 13.14.0-2.shmz65.1.156.

Only my Sangoma S500 phones can no loger register. My other ATAs and softphones have no problem. To test I switched back to my previous certificate and the problem went away.

The firmware for my S500 is the following:

BOOT–2.0.3.36(2016-01-31 11:10:00)
IMG–2.0.4.27(2017-03-14 17:03:00)
ROM–2.0.4.27(2017-03-14 17:03:00)
DSP–9.0.3(Patch 1.0.0)

Also, seeing this line in my S500’s log file:

[03-24 12:18:13 50:5e:d5] WARNING: cert did not pass internal validation test

Same problem with our sangoma Phones!

I looked for a workaround to add the files to the basefile but i did not find a documentation about this which entry i have to use for this.

http://issues.freepbx.org/browse/FREEPBX-14484

<P20179>http://yoururltoawebserver/DSTRootCAX3.crt</P20179> # FirmwareUpGrade TCAUrl

It thinks your cert is not valid. @xrobau Amy ideas.

I generated a Let’s encrypt cert with PBXAct Manager.
After Adding the DSTRootCAX3.crt to the basefile all phones got registred instandly.

The same to do was an all Aastra Phones.

Yealink and Snom worked instandly without doing anything. They had the cert already included in the Firmware. (This is also described in the Admin Guide of both manufacturers)
https://www.identrust.com/certificates/trustid/root-download-x3.html

(Firefox and Chrome also accept my cert without any issues)

Are you saying it worked fine using SSL with LE before but based on Mathias reply it would of never worked as it doesn’t trust the root cert so something is not adding up here between you two.

I only have one S500. It’s not used a lot Soni can’t say for certain if it did initially work with let’s encryption or not. Switching to let’s encrypt, updating FreePBX, and updating the s500 firmware all happened in a matter of days.

Can you test on one of your inplemestions with the version number I posted?

Here is the guide from Yealink i used to setup TLS/SRTP
Refer at the beginning of Page 18 / Yealink has made a listing of all Certs included in Firmware.
http://download.support.yealink.com/download?path=upload%2Fattachment%2F2016-12-1%2F3%2Fe7707e2f-caea-4fa8-8d4b-b592cde25f31%2FUsing%20Security%20Certificates%20on%20Yealink%20IP%20Phones_V81_20.pdf

On all Sangoma Phones i only use TLSv1 with SRTP on CHAN_SIP!
This extra Basefile entry registred my Sangoma S500, S700 Phones instandly.
<P20179>http://yoururltoawebserver/DSTRootCAX3.crt</P20179> # FirmwareUpGrade TCAUrl


I tested 2.0.4.27
and 2.0.4.28

Both need the same changes.

Ok but why did you state it was working before and after a update it doesn’t. Facts are really important here.

As far a testing I have no server anywhere I could setup LE on as we don’t allow port 80 or 443 opened on any firewall we have anywhere that would have a PBX and LE requires access to one of those ports for setup.

I thought about he thinked he changed the certs, but maybe it was applied after yum update and server reboot and then he noted, that the phones did not come up again.

Its just thinking what could happened maybe…

I got it working. I too had to add IdenTrusts root certificate in the S500. They are cross referencing Let’s Encrypts X3 certificate in the meantime as their own root certificate will take time to get propagated into devices by devs.

I guess I could have added Let’s Encrypts root as well but I just wanted to test if the S500 would be happy cross referencing.

I believe this was fixed in Certificate Manager 13.0.36.6. You’ll need to upgrade this module then go into it and make the certificates default again. Then restart asterisk. In advanced settings you’d then see this:

I tried this today with my latest pbxact System with all Updates from Edge Track.

I made the certificate default again, rebooted the pbx.

The phones do not register without Root CA from IdenTrust
Also tried a factory reset, still no registry. (Registration Failed)

Adding P20179 Url again makes the phones work again.

The certificate from the PBX includes the chain, meaning requiring the root CA isn’t needed. You should test the certificate you are sending from the PBX to make sure this is true as it doesnt sound like it.

openssl s_client -showcerts -connect server:port

Just looked over,
the chain only contains the “Let’s Encrypt Authority X3”.

This is not enough i think.
Our Aastra phones also needed the IdenTrust DST CA X3 to register correctly.

Chain1

Chain2

Right. You need the full chain. This is included now as part of Certificate Manager. Please show me the Advanced Settings for the Asterisk Web Server

You are providing the full chain.

Please run the command I stated earlier:

openssl s_client -showcerts -connect server:443