corona Posted May 6, 2011 Report Share Posted May 6, 2011 Hi, Could anyone help me on getting the certificate working on our Snom ONE? We bought a RapidSSL certificate for our SIP server, and I can see the server uses the new certificate in HTTPS connection right after I install the certificate. I then turn on the strict certificate verification option in our snom phone to get better security over the connection. However, the phone shows that the server does not uses the purchased certificate. Instead, it still uses self-generated certificate in the TLS connection. Could anyone shed some light for me? Attached is some information that may be helpful. TLS_Certificate_from_Server.jpg: The TLS certificate that the phone receives from the server. Certificate_Installed_on_Server.jpg: I have installed the purchased certificate as every type in the server. sip_error.txt: The error message from the phone log. sip_error.txt Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted May 7, 2011 Report Share Posted May 7, 2011 I thnk the problem is that the phones dont know the Root CA for the "GeoTrust", which RapidSSL seems to use. AFAIK you need to import http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer into the phones before they can validate the RapidSSL certificate. Quote Link to comment Share on other sites More sharing options...
corona Posted May 7, 2011 Author Report Share Posted May 7, 2011 I just tried, but it still did not work..... I converted the Equifax_Secure_Certificate_Authority.cer to DER format and uploaded to the phone. I also cleaned up the certificates in the Snom One server as well, and only the purchased certificate and the Equifax_Secure_Certificate_Authority certificate were kept. I still got the same error message from the phone: [1] 8/5/2011 00:09:49: TLS: Could not verify certificate <Country: DE; State: Berlin; Locality Berlin; Organization: Snom Technology AG; Common Name: 000413440000; eMail: >. Unknown issuer <Country: DE; State: Berlin; Locality Berlin; Organization: Snom Technology AG; Common Name: snom ONE intermediate; eMail: >. [1] 8/5/2011 00:09:49: TLS: Refusing TLS connection. Invalid or unknown Certificate received From the "Common Name" field, I think the certificate got rejected by the phone is generated by the Snom ONE server? This also means the server didn't use the certificate I provided, but generated one by itself instead. Quote Link to comment Share on other sites More sharing options...
corona Posted May 7, 2011 Author Report Share Posted May 7, 2011 (edited) I just tried, but it still did not work..... Umm... this is getting more interesting now. I just figured out that, the server will use different certificates in HTTPS connection with different browsers, and only FireFox (both 3.6 and 4.0) could make the server use the correct certificate. My test result: FireFox: correct certificate used IE 8.0: self-generated certificate used Chrome 11: self-generated certificate used IE 9.0: Internet Explorer cannot display the webpage (duh!!) It seems that the Snom ONE server has different HTTPS/TLS behavior with different agents (which cause my problem). Does anyone see this as well? Server version: 2011-4.2.0.3981 (FreeBSD) License Status: snom ONE blue Edit: I added our certificate as the "Server certificate chain + private key". But when I connect to the server using its IP Address, the server still uses self-generated certificate. Is this a correct behavior? Edited May 7, 2011 by corona Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted May 8, 2011 Report Share Posted May 8, 2011 It even gets more confusing... snom m9 does support server-extensions, where the phone can tell the PBX which domain to use. The other phones (3xx, 8xx) don't support that. m9 and 8xx include certificates signed yb snom Root CA, so that the PBX can authenticate the phones with client certificates. If you are using 3xx phones, you should probably not load a domain certificate, but a server certificate chain for the whole PBX. Notice that you might have to include the chain, if the path from the Root CA to the certificate includes intermediate certificates. I know, this whole thing sounds like rocket science and I have to say, it probably is. Quote Link to comment Share on other sites More sharing options...
corona Posted May 8, 2011 Author Report Share Posted May 8, 2011 It even gets more confusing... snom m9 does support server-extensions, where the phone can tell the PBX which domain to use. The other phones (3xx, 8xx) don't support that. m9 and 8xx include certificates signed yb snom Root CA, so that the PBX can authenticate the phones with client certificates. If you are using 3xx phones, you should probably not load a domain certificate, but a server certificate chain for the whole PBX. Notice that you might have to include the chain, if the path from the Root CA to the certificate includes intermediate certificates. I know, this whole thing sounds like rocket science and I have to say, it probably is. It is still easier than Calculus, IMHO..... I actually have added our certificate as the server certificate for the PBX, and I also added the certificate from Equifax Secure Certificate Authority as the root CA for both server and client. But Snome ONE still uses self-generated certificate. (I have also tried to add our certificate + Equifax certificate as the server certificate as well) I think the problem is that Snom ONE will uses self-generated certificate when the client requests a certificate using IP address. An easy way to test is to connect the server using https://ip.address/ and you can see that Snom ONE responds with self-generated certificate even if a server certificate is assigned. Could you test it? Have a nice day. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted May 9, 2011 Report Share Posted May 9, 2011 Right, the domain key is only used if the requested domain (through TLS server extensions) matches exactly the domain name. Try to delete the domain certificate (+ private key) and import the certificate and private key as server certificate. That should override the default key. If you have only one domain, this is definitevely the easier/right way to solve the probelm. Quote Link to comment Share on other sites More sharing options...
corona Posted May 9, 2011 Author Report Share Posted May 9, 2011 Right, the domain key is only used if the requested domain (through TLS server extensions) matches exactly the domain name. Try to delete the domain certificate (+ private key) and import the certificate and private key as server certificate. That should override the default key. If you have only one domain, this is definitevely the easier/right way to solve the probelm. I just tried, but still couldn't get the certificate to work. I deleted the domain certificate first. I then installed our certificate + private key as the server certificate. I also tried to install our certificate with Equifax root CA + private key, both does not work. Snom ONE will use self-generated certificate in HTTPS connection afterward. Any ideas?... Quote Link to comment Share on other sites More sharing options...
corona Posted May 9, 2011 Author Report Share Posted May 9, 2011 I just tried, but still couldn't get the certificate to work. I deleted the domain certificate first. I then installed our certificate + private key as the server certificate. I also tried to install our certificate with Equifax root CA + private key, both does not work. Snom ONE will use self-generated certificate in HTTPS connection afterward. Any ideas?... I can offer our login credentials if you have time to check it out. (but I can't send a PM to you though.) Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted May 9, 2011 Report Share Posted May 9, 2011 So we invested the 12.95 and bought a certificate from RapidSSL. These steps worked for us: Copy the certificate that you have received from RapidSSL in the email into the Certificate input box, followed by the intermediate CA (in the same input box, leave an empty line between them). Copy the private key into the private key section (we modified the private key a little in this port in order to keep it private). Then select "Server certificate chain + private key" and hit save. There is not restart neccessary. Certificate input field: -----BEGIN CERTIFICATE----- MIIEzjCCA7agAwIBAgIDAaGTMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew HhcNMTEwNTA3MjAxOTQ1WhcNMTIwNTA5MjE0NTE0WjCB5TEpMCcGA1UEBRMgTDNh LzhBLTJWL0FSYjZXNnpCdGdtUW4vTGx5Ukdqd24xCzAJBgNVBAYTAkRFMRgwFgYD VQQKEw9pbnRlcm4uc25vbS5jb20xEzARBgNVBAsTCkdUNjI5OTA5MzUxMTAvBgNV BAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMgKGMpMTExLzAt BgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlkU1NMKFIpMRgw FgYDVQQDEw9pbnRlcm4uc25vbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQD1p5trB4sUSpoJJDc+puQS0J8aTNUgAk6ZQSJrBZpNYZ+e32QEQxJ2 Fv4XHrWEYxFo8CPDsqg7jm0MkchU0Il+/NoDF+/dkaaUTpEM0onJJzrR3C1m8hh9 EF9+QQ9T4A683NE+7+ikc2w918QYwmQrMinqvLMZH3S9wxrrQzzsyUYqbrpQDIc2 Wx37+WfwTPVJLONeZAVtn9DwxypQZz7XZ5A9xXPhVHeAZSHtYAelNkZyq1u6+NdJ DmUiQ/RdujTvBV7WqR8nw543AuWgkpzCMiJhZao+OuQc7I7Foyehws7b4055rEbc WcZ0biYxGWpVayMqNG8b3ShL9vyDikuTAgMBAAGjggEtMIIBKTAfBgNVHSMEGDAW gBRraT1qGEJK3Y8CZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw FAYIKwYBBQUHAwEGCCsGAQUFBwMCMBoGA1UdEQQTMBGCD2ludGVybi5zbm9tLmNv bTBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vcmFwaWRzc2wtY3JsLmdlb3RydXN0 LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNVHQ4EFgQUfjJNyE9Ek8YLHk70F6Qb XHYrkSswDAYDVR0TAQH/BAIwADBJBggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAKG LWh0dHA6Ly9yYXBpZHNzbC1haWEuZ2VvdHJ1c3QuY29tL3JhcGlkc3NsLmNydDAN BgkqhkiG9w0BAQUFAAOCAQEAYKlsM/8rmM/ES8doaHwVtGsqMGauym5RrOSG/AqD XwTNIe2r+lppO43hRk8S6m4HQ+H5LjyQXJH7pXSidQZZ2gEgoCkWv+jvr6p5laTa qrSqxn48fWfA7LDClUGMXbVPUvO85NstSpPK5sBpJgs6kNhYh+TSOdKSOnU+I+im JNwffD6iY1Kid7CIwrBKC3EU4ZCzFt3DSaJQik+30hLTmJ7HOgQ4PmSZk5vXfTJO UU8Xw5S6bEWBRA4zd60i9FDe0Ndaq9h0hFzfyjj40aeLN51OmpW69JxRFVN9gd0I /CWr9bxNMoni/VaJRgbUHx5zf482awCJCWW0Rb0+YuQ9hQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0 l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e 6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8 N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5 HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x /torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61 04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4 knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw== -----END CERTIFICATE----- Private key input field: -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA9aebaweLFEqeCSQ3PqbkEtCfzkzVIAJOmUEiawWaTWGfnt9k BEMSdhb+Fx61hGMRaPAjw7KoO45tDJHIVaCJfvztAxfv3ZGmlE6RDNKJySc60dwt (sorry for not sharing everything with you guys) Ke/n64czAr/QJIsMd9JXLKijRrW3GfnVLPmlggP/rrOXpZ22dCH1fI1JXNUIXpya pmXpaEzgdAGw1YoOTf2JTaSGjZM5yGahUs0v5id9GvZn+dIJcO78cg== -----END RSA PRIVATE KEY----- Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.