About a week ago I switched my SSL certificate to one issued via the automated tool for Lets Encrypt. Today, I did a yum update to bring my FreePBX 64-bit distro to 10.13.66-19 - 13.14.0-2.shmz65.1.156.
Only my Sangoma S500 phones can no loger register. My other ATAs and softphones have no problem. To test I switched back to my previous certificate and the problem went away.
Are you saying it worked fine using SSL with LE before but based on Mathias reply it would of never worked as it doesn’t trust the root cert so something is not adding up here between you two.
I only have one S500. It’s not used a lot Soni can’t say for certain if it did initially work with let’s encryption or not. Switching to let’s encrypt, updating FreePBX, and updating the s500 firmware all happened in a matter of days.
Can you test on one of your inplemestions with the version number I posted?
On all Sangoma Phones i only use TLSv1 with SRTP on CHAN_SIP!
This extra Basefile entry registred my Sangoma S500, S700 Phones instandly. <P20179>http://yoururltoawebserver/DSTRootCAX3.crt</P20179> # FirmwareUpGrade TCAUrl
Ok but why did you state it was working before and after a update it doesn’t. Facts are really important here.
As far a testing I have no server anywhere I could setup LE on as we don’t allow port 80 or 443 opened on any firewall we have anywhere that would have a PBX and LE requires access to one of those ports for setup.
I thought about he thinked he changed the certs, but maybe it was applied after yum update and server reboot and then he noted, that the phones did not come up again.
I got it working. I too had to add IdenTrusts root certificate in the S500. They are cross referencing Let’s Encrypts X3 certificate in the meantime as their own root certificate will take time to get propagated into devices by devs.
I guess I could have added Let’s Encrypts root as well but I just wanted to test if the S500 would be happy cross referencing.
I believe this was fixed in Certificate Manager 13.0.36.6. You’ll need to upgrade this module then go into it and make the certificates default again. Then restart asterisk. In advanced settings you’d then see this:
The certificate from the PBX includes the chain, meaning requiring the root CA isn’t needed. You should test the certificate you are sending from the PBX to make sure this is true as it doesnt sound like it.