Zulu mobile client untrusted SSL

moonark · January 30, 2020, 5:42am

I am using the Zulu desktop client today without issue and without errors. When I use Android or iOS however I keep getting “Zulu mobile requires a trusted SSL certificate to maintain a secure connection. Your server’s certificate is invalid. Please contact your administrator and ask them to correct the issue.” I am not using a self signed certificate and it was signed by my company’s Certificate server. All devices and PCs have the root certificate installed. There are absolutely 0 trust issues from any browser based application with freepbx only mobile. As mentioned, Windows desktop with Zulu is fine. Does anyone know how to correct this on mobile? I only have 1 cert on the server and it is set to the default.

dlee · January 30, 2020, 8:07pm

@moonark,

Unfortunately, there are lots of reasons why certificates will work for some devices and not for others. Usually with public CA’s this is because intermediate certificates are missing from the server’s certman configuration.

It sounds like you’re using a private CA, though, so that makes it hard to say. You can run openssl s_client -showcerts -connect <host>:8002 < /dev/null to see what certificates are being used by the server; maybe that will give you a clue as to what’s going wrong.

mvogel4949 · February 10, 2020, 2:03pm

I’m having the same issue. Using a valid Let’s Encrypt Certificate, works from desktop but mobile gives me SSL error.

[root@tower ~]# openssl s_client -showcerts -connect <host>:8002 < /dev/null
-bash: host: No such file or directory

dlee · February 10, 2020, 3:26pm

@mvogel4949,

The <host> thing there is a placeholder; you have to replace that with the hostname or address of your PBX.

dlee · February 10, 2020, 3:33pm

@mvogel4949, if your server is publicly accessible, you can use https://www.digicert.com/help/ to test port 8002 of your PBX to see if the certificate chain is being properly setup. Just be sure to put :8002 after your server’s hostname in the “Server Address” box when you scan.

mvogel4949 · February 10, 2020, 3:53pm

well that was embarrassing. It seems to indicate my certificate is expired but in the web gui it shows it is valid for 85 more days.

[root@tower ~]# openssl s_client -showcerts -connect tower.cqsimple.org:8002 < / dev/null

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = tower.cqsimple.org
verify error:num=10:certificate has expired
notAfter=Feb 8 06:27:05 2020 GMT
verify return:1
depth=0 CN = tower.cqsimple.org
notAfter=Feb 8 06:27:05 2020 GMT
verify return:1

mvogel4949 · February 10, 2020, 3:57pm

I went back to the GUI and Updated the Certificate again and it seems to be working again. Thank you for your help!

system · March 12, 2020, 3:57pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.