We have Zulu UC deployed and running on 18 desktop computers. We are using a SSL cert by sslforfree.
When we try to setup Android devices of some users we get the following error:
"Invalid Server Certificate" "Zulu Mobile requires a trusted SSL Certificate to maintain a secure Connection. Your server’s certificate is invalid. Please contact your administrator and ask them to correct this issue"
This error is not present configuring IOS devices.
Please advice if the error is related to the provider of the certificate and purchasing a new SSL certificate let say from Sectigo will resolve the issue.
No SSL certificates were found on xxxx. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server’s firewall.
Ok, I have strong FW restriction policies, specially to the PBX. I guest Android try to access the certificate from a location other than my user location.
Ok, I made a new test, all items green on the test and following message at the end:
–
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.
So that’s the problem, somewhere on a chain there is something not working.
Just create another certificate with Letsencrypt, it’s very easy.
Be sure to open port 80 widely on your router (port forward to your pbx if it’s behind a router)
Go to System Admin > Port Management > Be sure that LetsEncrypt is enabled running on port 80
Set your hostname (should be the same as the FQDN you are going to use) System Admin > Hostname
Go to Admin > Certificate Management > New Certificate > Generate Lets Encrypt Certificate, fill with your information there and click Generate Certificate
Set that certificate as the default one (see the image below)
Go to System Admin > HTTPs Setup > Settings Tab > from the Certificate Manager, select the certificate you’ve created recently and click “Install”, that’s all your new certificate should be working now.
You can do the ssl test again and see how it goes now.
Ok, unable to create the Lets Encrypt Certificate from the PBX. Following your list I think it is possible to be related to the host name. The system is using our internal domain name, not the public one.
I’ll check if is possible to change it.
One question, if we change the certificate to use lest say Sectigo, will it make a difference on the way Android validate it?
You can use Sectigo as well, but in my opinion LetsEncrypt is pretty good enough.
If you want, you can also open a commercial ticket with us if you can’t fix this.
Port 80 is only for Letsencrypt challenge, you can close it after creating the certificate if you want, but you should re-open it in 80 days in order to renew the certificate, then you can close it again and so.
But leave it open shouldn’t be dangerous, (try to reach your fqdn on port 80 from outside your network and you will see a forbidden message)
But we had cases where Letsencrypt was not coming from any of those ips and the validation couldn’t be done, that’s the reason why we suggest to open port 80 widely, but you can give it a try and see if it works whitelisting only those domains.
I’ll give a try again in a few. The SSL cert I’m using right now is provided by sslforfree.com. It is signed and came from LetsEncrypt. just not generated using the PBX tools
