SOLVED - Zero Touch Configuration - Provisioning with HTTP(s) Authentication

vianneyjs · December 21, 2016, 9:17pm

Hello,

Zero Touch configuration will not work with HTTP(s) Authentication by using the following URL format:

The Config Server Path will not be passed down to the phone.

Is this supported? If so, what is the right way to do so?

On the other hand, if the provisioning configuration with authentication is manually entered on the phone under Auto Provisioning, the phone will be provisioned was expected.

lgaetz · December 21, 2016, 10:25pm

Phone firmware version? It should work, but may require a very recent version.

vianneyjs · December 21, 2016, 10:28pm

The phone is running the latest firmware available: 2.0.4.21

lgaetz · December 22, 2016, 1:02am

Just tested an S500 running 2.0.4.21. It provisions just fine from factory reset over https with credentials.

vianneyjs · December 22, 2016, 1:08am

How did you do it?

Did you do it thru the Sangoma Portal? Or you did manually enter the URL and creditials on the S500’s WebIf?

lgaetz · December 22, 2016, 1:10am

Put the URL in the Portal, set protocol to https and did a factory reset of the phone.

edit
Are you seeing the poll count increment in the Portal when you reset your phone?

vianneyjs · December 22, 2016, 1:13am

I always factory reset my phones before testing something new.

Was your phone internal o remote?

I am testing remotely.

I have not checked the poll count.

vianneyjs · December 22, 2016, 1:36am

After factory reset the poll count increments, I tested it twice.

xrobau · December 22, 2016, 2:01am

Can you try using HTTP instead of HTTPS? There may be an issue there, and I haven’t investigated it fully yet.

vianneyjs · December 22, 2016, 2:20am

Well, the point here is to introduce an extra security layer with the authentication over SSL, but I will give it a shot tomorrow though.

BTW, there is something else I noticed that should be rectified:

The phone exposes the URL with the credentials during the initialization process, at least this happens when the provisioning config is manually entered on the S500’s WebIf.

lgaetz · December 22, 2016, 1:47pm

As Rob said, test with http and see if that fixes. There is a ticket open already about displaying apache credentials on boot.

vianneyjs · December 22, 2016, 3:27pm

It worked like a charm with HTTP with credentials.

So should we call this a bug for HTTPS with credentials/authentication?

tonyclewis · December 23, 2016, 5:09am

A bug report already exist on reidrct with HTTPS and username not working will be fixed in firmware 2.0.4.22 next week.

Showing the username and password in url we are looking at but if it’s in the URL it will show and not sure how easy it will be to hide that.

vianneyjs · December 23, 2016, 10:48am

Thank you guys for the follow up.

vianneyjs · December 28, 2016, 1:11pm

Confirming both issues reported have been resolved in Firmware 2.0.4.22:

Hide config server username and password on boot when it shows the URL it is receiving configs from
Add support with Redirect Server to handle passing a username and password in the URL from the redirect server.

Once again thank you guys for your outstanding support.

Sangoma/FreePBX rock!

gwntc · January 12, 2017, 6:56am

I am still not able to use https provisioning with a username and password

I’ve basically done the following
setup a username and password under freepbx > system admin > provisioning protocols
I setup HTTP(s) authentication = HTTPS Only
In the phone template I changed Provisioning Address to “Custom” and put in https://username:password@my-url:1443
I also told that template to use HTTPS for provisioning

In the Sangoma Zero Touch Provisioning I configured the phone as IP/FQDN > https://username:password@my-url:1443

Once I tried reverting everything back, it still wasn’t working for me. Even after factory resetting the phone it still didn’t work. The odd part, after resetting the phone, it was still showing the username and password for provisioning even though it was set to NONE under FreePBX. I even made sure to rebuild the config for that phone.

After many reboots, factory resets on the phone and banging my head on my desk, I was able to get the phone to work once again. It did have the wrong date and time (0000-00-00 12:00 AM) After another reboot, the time and date was wrong for a while but updated eventually. Calls were working but the phone was reprovisioned with HTTP instead of HTTPS.

It appears that once you have a username / password configured for HTTP(S) provisioning it doesn’t remove it (even if you set it to NONE in FreePBX and even after a factory reset of the phone. Either that or the Zero Touch provisioning server is sending that info still (even after removing it)

aaronstan · June 13, 2017, 5:32pm

I have a similar issue.

I have several S500s that work fine when using http but not over https.

I’m using the redirect service. I put a firewall in front of the PBX with logging and I can verify that the phones reach out to the server over port 1443 however the phones never register or get a config from EPM.
As soon as I switch to http via port 83, everything works.

The phones are on firmware 2.0.4.31

vianneyjs · June 13, 2017, 6:01pm

Make sure your have it setup the same way shown on my first post.

Is your SSL certificate properly setup on your server?
You may check it on your computer browser.

aaronstan · June 13, 2017, 6:58pm

It’s the same expect for the port number. I am using 1443.
And the SSL certificate works fine when connecting from a web browser over port 1443.

tonyclewis · June 13, 2017, 9:01pm

Your port 1443 that is the port you have seutp for HTTPS phone provisioning or for your FreePBX Admin GUI and Phone Provisioning uses its own port that you define in port management.