Softphones wont register pjsip over TLS< claiming error 924 - certificate invalid

I have a crazy issue where somewhere in 2019 / 2020 all Blink and Zoiper5 Android and Windows softphones would stop registering to pjsip over TLS, claiming Error 924 - cert validation error.

Sysadmin Pro and Certman managed Letsencrypt cert. Worked fine for years until some point.

Thinking it may have to do with CA changes at Letsencrypt I initially pulled certman from edge and used the (new at the time) “Remove DST Root CA X3” feature. This did not help.

Upgraded to FreePBX 16 - no change.

Ran against and all checked out OK. SSL23 disabled, TLS1.0+ enabled, no cert problems come up.

Eventually found this thread where someone had a multi-year battle with Yealink phone provisioning that went away when using certbot. There was a solution to modify certman to reduce the key size to 2048

sed -i 's/4096/2048/g' /var/www/html/admin/modules/certman/vendor/analogic/lescript/Lescript.php

I tried this just for kicks and wouldn’t you know… The softphones all register now, albeit complaining that the cert is invalid. When I ask them to show me the cert (“display technical details”) they show me a perfectly valid cert. In Blink it will register now if I disable cert verification. This kind of defeats the purpose of having a “real” cert but at least we are up and running for now.

Now that the certman key length patch has been applied I guess it could be a Zoiper issue. Perhaps they have a trusted CA store hard coded into the app. Android 12 itself has no problem with these new Letsencrypt certs.

Just putting this out here if anyone uses Zoiper 5 with PJSIP over TLS and certman letsencrypt certs getting 924 errors on registration, the key size patch here Yealink T4XG phones will not autoprovision over HTTPS with FreePBX 14 - #77 by sorvani might be a workaround for you.

A productive feature request might be for certman to support other issuers. There are some letsencrypt alternatives that speak ACME. ZeroSSL and for example.

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.