Jump to content
Vodia PBX forum
reco

installing domain certificate breaks provisioning

Recommended Posts

i successfully installed a domain certificate on our pbx.

navigating to http://voice.domain.com shows a valid certificate for teh domain

 

now all the phone though report: Provisioning Server Failed…

i guess this has something todo with the certificate not installed on each phone.

 

i was under the assumption if i the settings url is http and not https this should work

http://voice.domain.com/provisioning/snom760.htm

 

what is the recommended procedure?

 

thanx

Share this post


Link to post
Share on other sites

AFAIK the 7xx series has a list of trusted root CA that should match your cert as well. I dont think that the problem is here. I would definitely check the log file of the phone, there must be some hint what is going on.

Share this post


Link to post
Share on other sites

when i logged into the phone it told me that it tried to provision over https and that this is something which could be a security issue.

sorry my wording :(

Share this post


Link to post
Share on other sites

when i logged into the phone it told me that it tried to provision over https and that this is something which could be a security issue.

sorry my wording :(

 

On the Snom M9 I had similar issues and a quick and dirty (but not very secure with regards to possible MITM attacks) workaround was to tell the phones to provison via https but accept all certs without trying to check their validity.

 

You could try that temporarily if your endpoints have that option - just to get back up and running confirm it is a certificate issue.

Share this post


Link to post
Share on other sites

On the Snom M9 I had similar issues and a quick and dirty (but not very secure with regards to possible MITM attacks) workaround was to tell the phones to provison via https but accept all certs without trying to check their validity.

 

You could try that temporarily if your endpoints have that option - just to get back up and running confirm it is a certificate issue.

 

yeah i know but there should be a better option no?

Share this post


Link to post
Share on other sites

There is a client side of it and a server side.

 

On the client side, the general rules of trusting the server apply. The server has to be in the list of trusted Root CA. The best solution is to use a certificate that is issued by one of the generally trusted CA, so that you can also use https from your browser. By default the snom phones don't verify the server; if you want to make sure that there is no hanky panky going on you have to change that policy before provisioning the device. In the first provisioning you can actually change that policy, so that subsequent requests will verify the certificate.

 

For the server, the question is "who are you?". Certificate-based authentication works very nicely when the phones have a client certificate installed; however for snom that is only the case for 7xx, 8xx and the m9 devices. For 3xx devices, all devices have the same certificate :-/ so you cannot trust them and instead have to set up username and password for automatic provisioning.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×