SOLVED - Zero Touch Configuration - Provisioning with HTTP(s) Authentication

Hello,

Zero Touch configuration will not work with HTTP(s) Authentication by using the following URL format:

https://user:[email protected]:1443

The Config Server Path will not be passed down to the phone.

Is this supported? If so, what is the right way to do so?

Zero_Touch

On the other hand, if the provisioning configuration with authentication is manually entered on the phone under Auto Provisioning, the phone will be provisioned was expected.

1 Like

Phone firmware version? It should work, but may require a very recent version.

The phone is running the latest firmware available: 2.0.4.21

Just tested an S500 running 2.0.4.21. It provisions just fine from factory reset over https with credentials.

How did you do it?

Did you do it thru the Sangoma Portal? Or you did manually enter the URL and creditials on the S500’s WebIf?

Put the URL in the Portal, set protocol to https and did a factory reset of the phone.

edit
Are you seeing the poll count increment in the Portal when you reset your phone?

I always factory reset my phones before testing something new.

Was your phone internal o remote?

I am testing remotely.

I have not checked the poll count.

After factory reset the poll count increments, I tested it twice.

Can you try using HTTP instead of HTTPS? There may be an issue there, and I haven’t investigated it fully yet.

Well, the point here is to introduce an extra security layer with the authentication over SSL, but I will give it a shot tomorrow though.

BTW, there is something else I noticed that should be rectified:

The phone exposes the URL with the credentials during the initialization process, at least this happens when the provisioning config is manually entered on the S500’s WebIf.

IMG_1131

1 Like

As Rob said, test with http and see if that fixes. There is a ticket open already about displaying apache credentials on boot.

It worked like a charm with HTTP with credentials.

So should we call this a bug for HTTPS with credentials/authentication?

A bug report already exist on reidrct with HTTPS and username not working will be fixed in firmware 2.0.4.22 next week.

Showing the username and password in url we are looking at but if it’s in the URL it will show and not sure how easy it will be to hide that.

1 Like

Thank you guys for the follow up.

Confirming both issues reported have been resolved in Firmware 2.0.4.22:

  • Hide config server username and password on boot when it shows the URL it is receiving configs from
  • Add support with Redirect Server to handle passing a username and password in the URL from the redirect server.

Once again thank you guys for your outstanding support.

Sangoma/FreePBX rock!

2 Likes

I am still not able to use https provisioning with a username and password

I’ve basically done the following
setup a username and password under freepbx > system admin > provisioning protocols
I setup HTTP(s) authentication = HTTPS Only
In the phone template I changed Provisioning Address to “Custom” and put in https://username:[email protected]:1443
I also told that template to use HTTPS for provisioning

In the Sangoma Zero Touch Provisioning I configured the phone as IP/FQDN > https://username:[email protected]:1443

Once I tried reverting everything back, it still wasn’t working for me. Even after factory resetting the phone it still didn’t work. The odd part, after resetting the phone, it was still showing the username and password for provisioning even though it was set to NONE under FreePBX. I even made sure to rebuild the config for that phone.

After many reboots, factory resets on the phone and banging my head on my desk, I was able to get the phone to work once again. It did have the wrong date and time (0000-00-00 12:00 AM) After another reboot, the time and date was wrong for a while but updated eventually. Calls were working but the phone was reprovisioned with HTTP instead of HTTPS.

It appears that once you have a username / password configured for HTTP(S) provisioning it doesn’t remove it (even if you set it to NONE in FreePBX and even after a factory reset of the phone. Either that or the Zero Touch provisioning server is sending that info still (even after removing it)

1 Like

I have a similar issue.

I have several S500s that work fine when using http but not over https.

I’m using the redirect service. I put a firewall in front of the PBX with logging and I can verify that the phones reach out to the server over port 1443 however the phones never register or get a config from EPM.
As soon as I switch to http via port 83, everything works.

The phones are on firmware 2.0.4.31

Make sure your have it setup the same way shown on my first post.

Is your SSL certificate properly setup on your server?
You may check it on your computer browser.

It’s the same expect for the port number. I am using 1443.
And the SSL certificate works fine when connecting from a web browser over port 1443.

Your port 1443 that is the port you have seutp for HTTPS phone provisioning or for your FreePBX Admin GUI and Phone Provisioning uses its own port that you define in port management.