Yealink T4XG phones will not autoprovision over HTTPS with FreePBX 14

Tags: #<Tag:0x00007f70246a7c50> #<Tag:0x00007f70246a7b10>

(Jared Busch) #81

Just touched a Grandstream Ht704 yesterday for the first time in a while in order to update firmware.

I dropped the new file onto the server, updated the config file, and rebooted the unit. It did not upgrade.

Looked in the Apache log and there is was a error 408.

Testing proved out the same resolution.

(Greg Snover) #82

Booger - I am having this problem also - modifying that file does indeed install a certificate that the Yealink’s will then provision to - but FreePBX complains that the file is tampered with - which does not look good to the casual observer (customer) - have you had any luck with Yealink Tech Support - seems like they would like to fix this since bigger-key SSL Certs are theoretically more secure than smaller-key ones.

I have Grandsteams at this customer also - I wonder if I am going to have the same problem with them (GXP2135’s and 2170’s) - I really want to do all provisioning HTTPS to minimize the attack-surface of the boxes.

This is frustrating - there has to be a ton of T4X’s our there that this affects.

(Jared Busch) #83

You can revert the change after getting the good certificate. Future renewals should still be fine because a renew does not regen the key.

(Greg Snover) #84

Cool - That is what I did to get the working cert and then reverted the file so it quit complaining - I guess that is an OK work-around until somebody (Probably Yealink) fixes the problem. I was worried that I would have to leave that change in place because Let’s Encrypt only gens 90-Day Certs - but if it’s a one-time thing that is fine.

(Jared Busch) #85

Yealink is not going to fix something that is not likely their problem.

Also they will not fix it because the affected line of phones are EoL.


Another option would be to self-sign the module, but probably not worth the trouble as a one-off if you don;t already have signing set up.

But this is a good reminder to get my re-work of the module PR ready. I’ve been sitting on it way too long. A lot of good stuff in it: backed and most if the goodies that come with it - dns and tls-alpn challenges, alternate cert authorities, alternate chains. specifying key length/type, etc.