Zulu Android Mobile App certificate error


(Julio Villegas) #1

We have Zulu UC deployed and running on 18 desktop computers. We are using a SSL cert by sslforfree.

When we try to setup Android devices of some users we get the following error:

"Invalid Server Certificate"
"Zulu Mobile requires a trusted SSL Certificate to maintain a secure Connection. Your server’s certificate is invalid. Please contact your administrator and ask them to correct this issue"

This error is not present configuring IOS devices.

Please advice if the error is related to the provider of the certificate and purchasing a new SSL certificate let say from Sectigo will resolve the issue.


(Sergio Lobera) #2

Hi @masterch13 try this:

Go to this page -> https://www.sslshopper.com/ssl-checker.html
And type your FQDN:8002, example: pbx.whatever.com:8002

Results from that test should be perfect in order to work with Zulu mobile.


(Julio Villegas) #3

No SSL certificates were found on xxxx. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server’s firewall.


(Sergio Lobera) #4

Did you use port 8002 ? (that’s the port used by Zulu)
Anyway, you should try to use a LetsEncrypt certificate following this guide:

https://wiki.freepbx.org/display/F2/Certificate+Management+User+Guide#CertificateManagementUserGuide-GenerateLet'sEncryptCertificate

Be sure to open port 80 widely, that’s use for the LetsEncrypt challenge (the way LE knows you are that fqdn)


(Julio Villegas) #5

Ok, I have strong FW restriction policies, specially to the PBX. I guest Android try to access the certificate from a location other than my user location.

I’ll make some tests…


(Julio Villegas) #6

Ok, I made a new test, all items green on the test and following message at the end:

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

Android still complain about the certificate.


(Julio Villegas) #7

Yes, 8002.

Zulu UC working perfect on desktop computers, it works on iOS but with bugs.

The only platform complain about the cert is Android.


(Julio Villegas) #8

LetsEncrypt is the source of the cert I’m using right now


(Sergio Lobera) #9

So that’s the problem, somewhere on a chain there is something not working.

Just create another certificate with Letsencrypt, it’s very easy.

  1. Be sure to open port 80 widely on your router (port forward to your pbx if it’s behind a router)
  2. Go to System Admin > Port Management > Be sure that LetsEncrypt is enabled running on port 80
  3. Set your hostname (should be the same as the FQDN you are going to use) System Admin > Hostname
  4. Go to Admin > Certificate Management > New Certificate > Generate Lets Encrypt Certificate, fill with your information there and click Generate Certificate
  5. Set that certificate as the default one (see the image below)

2020-05-13_10-45

  1. Go to System Admin > HTTPs Setup > Settings Tab > from the Certificate Manager, select the certificate you’ve created recently and click “Install”, that’s all your new certificate should be working now.

You can do the ssl test again and see how it goes now.


(Julio Villegas) #10

Ok, unable to create the Lets Encrypt Certificate from the PBX. Following your list I think it is possible to be related to the host name. The system is using our internal domain name, not the public one.

I’ll check if is possible to change it.

One question, if we change the certificate to use lest say Sectigo, will it make a difference on the way Android validate it?


(Sergio Lobera) #11

You can use Sectigo as well, but in my opinion LetsEncrypt is pretty good enough.
If you want, you can also open a commercial ticket with us if you can’t fix this.

Take care!


(Julio Villegas) #12

Security wise, what implicate leaving 80 port wide open on the pbx? That is my only concern about the way LetsEncrypt works.


(Sergio Lobera) #13

Port 80 is only for Letsencrypt challenge, you can close it after creating the certificate if you want, but you should re-open it in 80 days in order to renew the certificate, then you can close it again and so.
But leave it open shouldn’t be dangerous, (try to reach your fqdn on port 80 from outside your network and you will see a forbidden message)

Also, you can try to whitelist ONLY these domains/ips (letsencrypt ips)
outbound1.letsencrypt.org
outbound2.letsencrypt.org

But we had cases where Letsencrypt was not coming from any of those ips and the validation couldn’t be done, that’s the reason why we suggest to open port 80 widely, but you can give it a try and see if it works whitelisting only those domains.


(Julio Villegas) #14

I’ll give a try again in a few. The SSL cert I’m using right now is provided by sslforfree.com. It is signed and came from LetsEncrypt. just not generated using the PBX tools


(Julio Villegas) #15

I’ll give it a try. internal PBX FW was also blocking the Lets Encrypt requests. It is using a new SSL cert deployed by the interface now.

Android device connected without problems.


(Sergio Lobera) #16

Nice! Good job @masterch13