• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Autoprovision Yealink T46s don't work with 15.5 SP6

Status
Not open for further replies.

FredyWenger

Customer
Joined
Jun 18, 2018
Messages
102
Reaction score
4
Hi
I have bought a new T46S (to check out Opus as soon as the template is updated to support Opus).
A try since hours now to autoprovision the T46s - without success.
- Updated firmware to the latest version
- Factory reset done
I have the phone behind a SBC.
I can see the T46s on th 3cx under "new devices" and assign it to an existing extension.
If the T46s is booted, it shows "update skipped" what should be a sign that the 3cx server is found but is not able to send the autoprovision file to the phone.

What can this be…
Thanks for a fast feedback.
 
The phone will try to download the config file over the internet, not through the SBC and tunnel:
  • HTTPS port open on firewall?
  • SSL Certificate used to install 3CX is trusted by phone?
 
  • Like
Reactions: Eliq91
The phone will try to download the config file over the internet, not through the SBC and tunnel:
  • HTTPS port open on firewall? => Yes
  • SSL Certificate used to install 3CX is trusted by phone? => Not clear

What do you mean with:
"SSL Certificate used to install 3CX is trusted by phone?"
I don't have used a SSL Certificate - please explain, what you exactly means..
Thanks
 
What do you mean with:
"SSL Certificate used to install 3CX is trusted by phone?"
I don't have used a SSL Certificate - please explain, what you exactly means..
Thanks
Sorry, I was not clear. When you installed 3CX, did you install using an FQDN provided by 3CX? Or did you enter your own custom FQDN using a domain you own?
 
The FQDN is set to an URL to the provider (the 3cx is hosted at a provider)
 
Last edited:
@NickD_3CX:

I have wasted hours now with try-and-error…
I was able to provision the phone now, by disable security options:
On the T46s (over the web interface):
- Security
- Trusted Certificates
=> Set "Only accept trusted Certificates" to disabled
After doing that, the device has rebooted and loaded the provisioning file from the server.

But, if I now access the phone over the web interface, the browsers claims "No secure connection".

So... the T46s no works principally at the 3cx, but it can't be the solution do disable "Only accept trusted Certificates"

So... what to do..?
 
So you DID install probably using your own FQDN and your own certificate...

If you installed using a 3X provided FQDN, you would get a Let's Encrypt cert automatically and you wouldn't have the problem. So "what to do?": Install using a cert from a CA that Yealink phones consider trusted. For an updated list of such CAs you could contact Yealink.

OR

Install using a 3CX FQDN and use the Lets Encrypt cert that comes with, which is updated automatically as long as maintenance of 3CX is valid.

On another note, when you log into the interface of your Yealink and you get the "No Secure Connection" this is something different and irrelevant. This is because the cert on the web server of the actual phone is a self-signed one. You will always get this because newer Yealink phones redirect to HTTPs when you access the Web UI.
 
It seems, as I have noted a bug in the 3cx SW right now...
The 3cx shows the T46s device in red and claims it as not supported

Firmware: Device: 66.84.0.10 / available version: 66.83.0.20
So.. I have installed the latest FW yesterday on the device and don't want to downgrade...o_O
 
@NickD_3CX
Unfortunately, I don't really understand your response…
FQDN:
As I wrote, the 3cx is hosted by a provider in the cloud (so I'm not able to change it).
Name of FQDN:
user<number>.<providername>.cloud
Note to FWDN in 3cx console:
"The FQDN is used by 3cx for calls, provisioning URLS and client. It cant be changed afterwards."
So.. what can I do in this (my) case...?

Yealink interface:
Before I had changed the setting to the certificate and then was able the first time to provision the phone from 3cx, I don't had the security warnings in the browsers.
If the reason is (as you wrote) that the cert on the phone is a self signed one, I should had the security warnings also before - or do I understand something wrong..?

Thanks for a further feedback.
 
@FredyWenger The issue is perhaps the fact you set up a URL that is not a 3CX FQDN when you set up your system with a cloud provider. The cloud provider provided a virtual server and perhaps their own SSL which not trusted by Yealink. Yealink out of the box has extensive SSL root certificates embedded, leading me to believe you need a SSL uploaded to your 3CX instance and upload the cert via the yealink GUI to teh phone itself. At that point you can change the setting to trusted and all will be fine.This is not a 3CX nor Yealink issue.
 
  • Like
Reactions: FredyWenger
@earthwing
First, thanks for your answer.
Unfortunately, I don't know, how I should be able to "upload a SSL" to "my" 3cx instance (so that the SSL then is active for the FQDN that the provider has set up - I only have the admin console to administrate the 3cx)…?
But... maybe I should be able to get the cert from the provider and load it to device (as I have seen, it should be possible to import a cert to the device)…?
 
@NickD_3CX
Unfortunately, I don't really understand your response…
FQDN:
As I wrote, the 3cx is hosted by a provider in the cloud (so I'm not able to change it).
Name of FQDN:
user<number>.<providername>.cloud
Note to FWDN in 3cx console:
"The FQDN is used by 3cx for calls, provisioning URLS and client. It cant be changed afterwards."
So.. what can I do in this (my) case...?

Yealink interface:
Before I had changed the setting to the certificate and then was able the first time to provision the phone from 3cx, I don't had the security warnings in the browsers.
If the reason is (as you wrote) that the cert on the phone is a self signed one, I should had the security warnings also before - or do I understand something wrong..?

Thanks for a further feedback.
Hi FredyWenger,
You have the common problem which I'm calling "I don't want to follow the rules, but you must fix my problems".
If you (or your provider) are not using the 3cx and yealink supported root certificates, how you can provision the phones remotely? They will never silently trust your (or provider) generated self-signed certificates.
Can you simply check the PBX certificate? Just connect to the 3cx PBX management console, click on the lock sigh and check is it the Let's Encrypt certificate or not....
upload_2018-9-18_16-34-15.png

If your provider installed 3cx using not trusted certificates whose fault it is - 3cx, yealink or your provider?
I think provider and I think you can fix your problems faster by connecting to your provider and asking him to re-install your PBX using 3cx generated certificates.
So, I think I answered to your "So.. what can I do in this (my) case...?" question.

About the "Yealink interface:".
When the yealink phone is not provisioned and have nothing to protect (username, password, server address, web access password and etc..) it's using the HTTP protocol, so you can't have any security warnings.
After the provisioning, when the phone need to protect the mentioned information, it's using the HTTPS protocol and because that the yealink is using it's own self-signed certificate, the browsers are showing it "Not Secure". There is no issue here.

About the "So.. I have installed the latest FW (66.84.0.10) yesterday on the device and don't want to downgrade".
If you don't want to use the yealink FW version supported by 3cx, how can you ask for the support?
If this FW version is not tested with 3cx and by 3cx, how can you trust it?
If you are not planning to downgrade, why 3cx or yealink need to help you?

Personally I installed around 150 Yealink phones (including T4xS models) for our customers and around 70-80 of them are provisioned behind SBC and using the 3cx supported 66.83.0.20 version.
I had no any single issue during the provisioning them - BTW, Thanks to 3cx and yealink guys!!!

I think, you need to contact to your provider and ask him to provide you with the supported solutions
 
@phonemaster
Thanks for your useful informations but you should not write in such a harsh tone!
I don't have common problem which you call "I don't want to follow the rules, but you must fix my problems".
I have the problem "I'm not a 3cx system engineer, have not installed the 3cx myself and don't know the in deep correlations - please help me…".
Based on your input, I have checked the link and seen that a valid "Geotrust Global CA" is assigned to the link (no idea why the yealink seems not to know it).
I then have exported the cert from browser, imported it to the yealink, set the option "Only accept trusted Certificates" to enabled again and rebooted the yealink...
And.. it works now.

Regarding the firmware I was following "your" (ahh the 3cx) roules to setup a new device "first install the latest firmware in the device (what I have done).
So.. anyway… thanks for your posting that have helped me...
 
@CentrexJ
That's correct (I have installed the latest FW directly from yealink, what was not as described).
In the future, I only will install the "official 3cx releases" :cool:
 
FreddyWenger,

Interesting though that your Geotrust Global CA certificate didn't work with the Yealink phone as trusted without manually adding it because according to this Yealink article those certificates are trusted with firmware 71 and higher

http://support.yealink.com/faq/faqInfo?id=691
 
@CentrexJ
Yes, that's really "interesting" - I also have seen, that it should be trusted...
Maybe a problem with the "unsupported FW" that I have installed... ;)
 
@phonemaster
Thanks for your useful informations but you should not write in such a harsh tone!
I don't have common problem which you call "I don't want to follow the rules, but you must fix my problems".
I have the problem "I'm not a 3cx system engineer, have not installed the 3cx myself and don't know the in deep correlations - please help me…".
Based on your input, I have checked the link and seen that a valid "Geotrust Global CA" is assigned to the link (no idea why the yealink seems not to know it).
I then have exported the cert from browser, imported it to the yealink, set the option "Only accept trusted Certificates" to enabled again and rebooted the yealink...
And.. it works now.

Regarding the firmware I was following "your" (ahh the 3cx) roules to setup a new device "first install the latest firmware in the device (what I have done).
So.. anyway… thanks for your posting that have helped me...
@FredyWenger
Hi FredyWenger,
Sorry if my tone was harsh for you.
Believe me, I tried to make it in "joking" tone and tried to help you as much as possible...
Probably my English is not good enough to represent my real tone:rolleyes:

My idea was the following - we can't blame someone (3cx, yealink, or anyone else) if we are not following his rules.
Another point was to inform you that fastest fix for your problem, you can get from your provider that installed the PBX using the "Geotrust Global CA" (and not "Let's Encrypt") certificate.
If the car dealer sold us a broken car, first we need to go to that car dealer and not to the car manufacturer. ;)

I'm not the 3cx system engineer too, but we are using the 3cx PBX during the last 3-4 years and I understood the following: Follow the 3cx rules, use the environments that they suggest and you will have very good PBX. One step to right or left from these rules and you will have problems.:)

I'm really happy that my suggestions are helped you!
 
Last edited:
I don't particularly like this solution. Primarily because the cert is going to expire in 2 years. Then what? Do I have to add it again to all my phones manually?

Yealink said that certain certs, like the Godaddy one I'm using, should work with no issue. Yet, 3CX has custom firmware and it's not working. I'm wondering if 3CX's custom firmware wrote-over the pre-installed certs.

Either way, I think this needs to get fixed. A device requiring a cert but not having root certs installed is something I have not seen in the tech world for about 20 years.
 
@JParo
Thanks für your posting here…
I also don't like this "solution" (same reason as you wrote… what, when about if the cert expires…)
Do you had similar problems…?
I'm not sure, if my problem can have something to do with that I have installed a newer firmware directly from yealink, that seems newer as the actually by 3cx supported version.
 
Status
Not open for further replies.
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.