Yealink T4XG phones will not autoprovision over HTTPS with FreePBX 14

configuration
freepbx
Tags: #<Tag:0x00007f70246a7c50> #<Tag:0x00007f70246a7b10>

(Jared Busch) #81

Just touched a Grandstream Ht704 yesterday for the first time in a while in order to update firmware.

I dropped the new file onto the server, updated the config file, and rebooted the unit. It did not upgrade.

Looked in the Apache log and there is was a error 408.

Testing proved out the same resolution.


(Greg Snover) #82

Booger - I am having this problem also - modifying that file does indeed install a certificate that the Yealink’s will then provision to - but FreePBX complains that the file is tampered with - which does not look good to the casual observer (customer) - have you had any luck with Yealink Tech Support - seems like they would like to fix this since bigger-key SSL Certs are theoretically more secure than smaller-key ones.

I have Grandsteams at this customer also - I wonder if I am going to have the same problem with them (GXP2135’s and 2170’s) - I really want to do all provisioning HTTPS to minimize the attack-surface of the boxes.

This is frustrating - there has to be a ton of T4X’s our there that this affects.


(Jared Busch) #83

You can revert the change after getting the good certificate. Future renewals should still be fine because a renew does not regen the key.


(Greg Snover) #84

Cool - That is what I did to get the working cert and then reverted the file so it quit complaining - I guess that is an OK work-around until somebody (Probably Yealink) fixes the problem. I was worried that I would have to leave that change in place because Let’s Encrypt only gens 90-Day Certs - but if it’s a one-time thing that is fine.


(Jared Busch) #85

Yealink is not going to fix something that is not likely their problem.

Also they will not fix it because the affected line of phones are EoL.


#86

Another option would be to self-sign the module, but probably not worth the trouble as a one-off if you don;t already have signing set up.

But this is a good reminder to get my re-work of the module PR ready. I’ve been sitting on it way too long. A lot of good stuff in it: acme.sh backed and most if the goodies that come with it - dns and tls-alpn challenges, alternate cert authorities, alternate chains. specifying key length/type, etc.