• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Autoprovision Yealink T46s don't work with 15.5 SP6

Status
Not open for further replies.
@FredyWenger

Yep. Wrestling with it now. I downloaded the latest direct from Yealink, provisioned by disabling 'Only Accept Trusted Certificates', and then changed the firmware to the 3CX latest via the 3CX system.

For me, I tested and it's not my cert I need to upload, it's the Godaddy intermediate cert I had to upload. That works. However, the cert does not last a Factory Reset. So if there is ever a reset, I'd have to manually re-add this to every device.

Edit to say i'm provisioning a T56 and a T54
 
  • Like
Reactions: FredyWenger
@JParo
Thanks again for posting here…
So I know, that I'm not the only one, that have such problems and you have used an official 3cx supported firmware version.
In my case the used certificate should be supported on the Yealink "out-of-the-box", but was not!
For me it's not clear, where the error is (I guess more on the Yealink side, but not sure).
I will investigate the problem more in detail, if I add further Yealink's...
 
@FredyWenger and @JParo
Hi guys,
There is no error here. You are trying to use something that is not supported.

3cx generates the Let's Encrypt certificates for you and forces all supported phones to work with it (I can see it added for GS, Fanvil and Snom phones).
Did you use it? No. So, there is no issue on 3cx side.

The phones that are working (supported phones) with 3cx are always working in parallel with 3cx.
I can see 3cx added something, after that phones added something and vice versa.
I think, they (phones) never had a request to support the Geotrust Global CA certificates that you are using.
They can't support all existed CA's in the world - all phones have memory limitations.
So, there is no issue on Yealink side too.

I can suggest you guys to open a ticket on Yealink, provide them your certificates and ask:
1. Why they are not accepted by default and you need to upload them manually to the phones?
2. Where you can find the list of the supported (by Yealink) certificates, so we will share it and all of us will have it.
 
  • Like
Reactions: Lee Cramman
At least (my) Geotrust Global CA is on Yealink list of the pre installed (trusted) certificates.
It simply don't work...
 
@phonemaster

You are incorrect on literally all the things you just said. LetEncrypt is only supported for 3cx domains. If you use your own FQDN, which we have done on our Pro license, LetsEncrypt is not supported by 3CX and you need to provide your own cert. See under custom domain here: https://www.3cx.com/docs/fqdn-management-allocation/ and how to install them here: https://www.3cx.com/docs/fqdn-ssl-certificate-v15/ - including steps for Godaddy which I use. (Why would they include how to use GoDaddy if they do not support it?)

As for Yealink supporting Root CA's - every browser and every device shipped that allow for publically available CA's have the root CA's pre-installed. This is common, accepted, and standard practice. Yealink themselves do this per this http://support.yealink.com/faq/faqInfo?id=691

So, if Yealink has root certs and supports them natively, for my Godaddy and others, 3CX allows for, and gives documentation for using a GoDaddy cert for 3CX 15.5, then usings a Godaddy cert is not the issue. Furthermore, if they work on stock Yealink firmware, but not on the 3CX modified firmware, then do the math on where the problem is.
 
@phonemaster

You are incorrect on literally all the things you just said. LetEncrypt is only supported for 3cx domains. If you use your own FQDN, which we have done on our Pro license, LetsEncrypt is not supported by 3CX and you need to provide your own cert. See under custom domain here: https://www.3cx.com/docs/fqdn-management-allocation/ and how to install them here: https://www.3cx.com/docs/fqdn-ssl-certificate-v15/ - including steps for Godaddy which I use. (Why would they include how to use GoDaddy if they do not support it?)

As for Yealink supporting Root CA's - every browser and every device shipped that allow for publically available CA's have the root CA's pre-installed. This is common, accepted, and standard practice. Yealink themselves do this per this http://support.yealink.com/faq/faqInfo?id=691

So, if Yealink has root certs and supports them natively, for my Godaddy and others, 3CX allows for, and gives documentation for using a GoDaddy cert for 3CX 15.5, then usings a Godaddy cert is not the issue. Furthermore, if they work on stock Yealink firmware, but not on the 3CX modified firmware, then do the math on where the problem is.
Hi JParo,
I think you are a bit mixed up and understanding my replies and guides as it's convenient for you.
1. You wrote:
...If you use your own FQDN, which we have done on our Pro license, LetsEncrypt is not supported by 3CX and you need to provide your own cert. See under custom domain here: https://www.3cx.com/docs/fqdn-management-allocation/...
Where did you see this?
The guide says the following:
...A Let’s Encrypt Cert cannot be issued by 3CX in this case...
upload_2018-9-22_0-30-27.png
"can not be issued" and not "is not supported" by 3CX.
This means, if you are using your own domain, the 3cx will not issue the Let's Encrypt certificate for your domain, but no one can stop you to issue it by yourself...
If you decided to use your own domain, be ready to do all other staff manually too...

2. "...Yealink themselves do this per this http://support.yealink.com/faq/faqInfo?id=691.."
Yes, they are listed there, but are they work? Are you sure about that?

3. I was replying to FredyWenger, who had problem with "Geotrust Global CA" and not "Godaddy" certificates and he wrote the following:
upload_2018-9-22_0-54-51.png
As you can see FredyWenger confirmed that even firmware downloaded directly from the yealink doesn't work.

4. You are calling 3cx supported versions "3CX modified firmware". It's not true.
I have big experience working with yealnk (we are the gold customer of them in my country) and what I realize is that the FW supported by 3cx have higher version and less issues than yealink version.
The best example is the last 3cx supported version.
Yealink published the xx.83.0.10 version and it had the problem with the power LED,
After some time, 3cx published the xx.83.0.20 version as a supported one where that issue was solved. Yealink published the new version with that fix after 2 months.
And I can give you more examples if you need...
So, the 3cx supported version is not "modified" but "more stable" version.

Anyway... In this post I tried to help FredyWenger and to the guys with the similar problems to troubleshoot and fix them, but I'm not ready to get posts which are wrongly says that I'm "incorrect on literally all the things" (I proofed that it's not like that)... So, this is my last reply in this post...
 

Attachments

  • upload_2018-9-22_0-55-11.png
    upload_2018-9-22_0-55-11.png
    29.5 KB · Views: 2
  • upload_2018-9-22_0-55-16.png
    upload_2018-9-22_0-55-16.png
    29.5 KB · Views: 2
Last edited:
@phonemaster
1. As you know, Let's encrypt cannot be installed by 3CX. 3CX recommends 3rd party certs such as Godaddy. To say 3CX only allows LetsEncrypt is still incorrect. They provide many guides for this, including the specific one for Godaddy I referenced. Considering 3CX allows for 3rd part certs natively, and yealink supports 3rd party roots natively, means that if a supported 3rd party does not work, it's not because I didn't use the one that 3CX uses on their own domain. If that were the case, then 3CX provides no documentation to the fact, and should probably reference that using a 3rd party cert as recommended by 3CX, even one supported by Yealink, will still require the cert installed on the handset.

2. Yes. mine worked fine on the latest yealink downloaded firmware. 3CX upgraded the firmware to a lower version and it stopped working.

3. I didn't seem to have this issue, but i'm also using a different cert.

4. I admit this was an assumption. Yealink stated that their firmware is written generically, but they also work with providers to provide firmware specific to each system. I assumed 3CX has some minor modifications on this to ensure it works better with their system.

As for calling you incorrect, I apologize if it seemed harsh. However, your thoughts on the first point still seem incorrect. To assume that LetsEncrypt is the only valid native cert, otherwise, you're doing unsupported things, is plain wrong. Everything I have done I have done following 3CX provided documentation. FQDN requires a 3rd party cert - LetsEncrypt or elsewhere, including Godaddy which 3cx claims is supported. As yealink also claims that Godaddy certs are supported, then I fail to see anywhere in any documentation that providing a Godaddy cert is somehow incorrect, unsupported, or requires any additional steps. While I believe your assumption of 'Unsupported' or 'Extra' things is incorrect, I would believe LetsEncrypt is the only native cert. If that were to be the case, then there is still an issue with 3CX for not having proper documentation to that effect, or not realizing the others do not work as they should. As someone with a Pro license requiring it for a custom FQDN, I think that level of support, by way of guides and forums, would at some point mention it will require additional steps to install unless you use one specific cert provider.
 
@JParo

There seems to be a bit of selective reading on your part going on.

- First of all, nothing is stopping you from generating you own LE certificate with your own domain. You can generate a LE certificate for your own domain it's just typically easier for the layman to use someone like Godaddy.
- Secondly it is not a 3CX modified firmware. It is a Yealink modified firmware for 3CX. So if your certificate is not working in the latest 3CX supported firmware but works with the latest Yealink firmware, that's on Yealink. Chances are it's simply that Yealink added the trusted root you need to a later version of firmware. So the next 3CX supported firmware issued by Yealink based on v84 will likely work with your certificate.
- In the very article you link there is this statement:

t is recommended to check with your IP phone endpoints first to make sure that the device has the root CA (the certificate that will remove the warning messages) built into the device by default. Below is a list of IP vendors with a built-in root CA certificate as taken from their admin guides on July 13th 2016. This may of course change at any time:

- I haven't done a single install with a custom FQDN (except for some early testing on my behalf). Every customer that asked (which has been very few), when explained the pros and cons, opted to stay with the 3CX provided. As their trusted advisor that is always my recommendation.

- 3CX supports the use of a custom FQDN. They make no promises as to anything else, including that it will work with a particular phone/firmware version. If you decide to go the custom route, then the expectation is you know what you are doing and you are able to deal with all contingencies. If not, you probably want to put that in the con column and re-evaluate your decision to use a custom FQDN.
 
@cobaltit

Thanks for your reply. I do appreciate everyone lending time to help people troubleshoot issues.

Thank you for clarifying who is modifying the firmware. I had gathered it was 3cx specific, I just wanted sure who was the one who ultimately modified it. At this point, I'm going to go to Yealink to see why a supposedly supported cert is not working.

As for FQDN, what issues do you think arise from using it to where to don't recommend it? I still take issue with the fact that FQDN is supported by 3CX with plenty of documentation, and when I use it to spec and issues arise, the answer from people on this forum are simply "Well don't use FQDN, use the 3CX one". That's not an acceptable answer. I can understand that perhaps it's not a 3cx issue as much as a yealink issue, but I've not heard much other than shame on me for trying to use a pro feature.

Let me clarify something: I have about 7 years of Nginx configs and certificate installation under my belt. Both public certs and private. I know how the cert world works. I know about root certs, cert chains, etc.. I've also been actively moving a lot of my systems to LetsEncrypt. Both Linux and Windows, I've even migrated quite a few that have no supporting documentation and just did it on my own. None of this is new to me. In fact, when I installed 3cx with my FQDN, I was actually surprised and dismayed that they didn't allow LetsEncrpt issue the cert natively. I can make some guesses why, but it would be very possible for them to allow this knowing in-depth how it works.

Regardless, after I discovered this, I spent quite some time getting LetsEncrypt to work with my FQDN. This is very difficult considering you need to upload a cert upon install of 3CX for your FQDN and letsencrypt requires your webserver already running with port 80 open. Then, I'd have to modify the nginx config file, which 3cx explicitly says to not do, to keep it working moving forward. Of course, one 3cx update could overwrite my customizations. So, upon looking at all of that, I decided to just go get my own public cert. So I read the 3CX documentation, which I already linked, which tells you exactly what to do, and warns you to use a cert that is approved by the phone manufacturer so you don't run into any issues. So I clicked the link to the list of certs supported by yealink, saw that Godaddy was approved, and got my godaddy cert. Now, 'supported' should mean the root cert is installed on the device so it can chain to my own cert. I really don't know what else it could mean as a crt is a crt so 'supported' can't mean 'i can upload that one, but not other ones to the device'.

So upon doing everything by the book and coming here to see if anyone else has an issue, I find this thread. However, instead of people saying "Yeah, me too, not sure why" or "Yeah, that should work but there might be an issue with Yealinks firmware, you should go talk to them" or "Yeah, yealink says they support those certs but it doesn't seem like it", or even "That's weird. did you try x, y, and z?" I instead hear people say in a very accusatory way "Well, this is why you don't use that premium feature and only use 3CX domains to avoid this totally unsupported premium feature that's very well documented. That's in no way shape or form helpful.
 
@FredyWenger

I found the problem for my GoDaddy cert and wanted to let you know to see if it applies to your GeoTrust cert.

For me, the issue is that the GoDaddy cert isn't signed by the GoDaddy root cert that is on the yealink device. Instead, it is signed by an intermediate cert that is signed by the root cert. Yealink does not have that intermediate cert installed nor does 3cx. The intermediate cert came with the GoDaddy cert inside the zip file

To fix this, you can open up the intermediate cert in Notepad, then open your cert in notepad. Copy your cert ABOVE the intermediate cert, so at the beginning, and save this as a newly combined cert. I replaced my cert on 3CX with this newly combined cert and auto provisioning and everything else is working like a charm. No issues what so ever with 3CX and a FQDN.

Hopefully, this helps you, or someone else with a GoDaddy Cert and Yealink devices.
 
Update:

@JParo:
Thanks for your suggestion, but I’m not able to make changes at the certificate, as our PBX is hosted by a provider.

@NickD_3CX and 3cx generally:
I now have bought a brand new Yealink T48S (touchscreen) and am disappointed (by 3cx and also by Yealink -> see below...).

Done a factory reset first
I don’t have done any FW update and configured the T48 over our SBC with the web interface.
Rebooted…
Device was showed in the 3cx console
Set the T48 to a (my) extension and configured as needed
Rebooted device
Settings were not overtaken - message “update skipped” was showed at the device

Imported the certificate of our 3cx/SIP-Trunk provider (Geotrust Global CA) on the T48S over the web interface.
Disabled „Only Accept Trusted Certificates”
Rebooted device -> Provisioning have worked, T48S works principally

Removed the imported certificate from device
Enabled „Only Accept Trusted Certificates”
Rebooted device
Provisioning don’t work again

So 3cx (and / or Yealink) has/have a definitely a problem regarding the certificate (at least Geotrust Global CA).

The Geotrust Global CA is listed on the Yealink page with the preinstalled certificates
http://support.yealink.com/faq/faqInfo?id=691

So... same problems here as with the Yeaklink T46s (reason, that I have created this thread)

I definitely can’t live with the “workaround” to import the (should be trusted!) certificate of our provider, wait until it expires and then extract the cert in browser and reimport it again on all devices with the web client!

I’m also not able (and don’t wanted, if I would be able) to apply a “Let's Encrypt SSL Cert” to the 3cx as it is hosted by a provider.

It can’t be that we have to handle such base problems with new mainstream products (Yealink and Geotrust Global CA)

So... please give me a solution, 3cx!

Firmware:
As the T48S was showed in red as “not supported” I wanted to update the FW over the 3cx.
The 3cx console showed 66.83.0.20 as the actual and 66.82.0.20 as the installed FW version
Firmware update over 3cx don’t work (nothing happens on the T48S device)
Searched for the FW, showed as update in the 3cx console (66.83.0.20) on the Yealink website
=> Not found (66.83.0.10 / 66.83.0.30 / 66.83.0.35 / 66.83.0.50 and 66.84.0.10, but no 66.83.0.20! what is strange for me...

Downloaded the FW version 66.83.0.20 from 3cx FW download page and updated T48s manually over web-client
The Device is showed black now but the FW is way outdated, what is not nice...
Retested problems with certificate mentioned above (only to be sure…) -> same behavior

Disappointed with Yealink T48S (not 3xc related, only as additional information):
Blurry screen, showed text not sharp
if the display is viewed in the “standard angle” of about 45 - 60 (with the foot stand) (T46 display is way better)
Touch screen slow (not responsive)
Setting Label Length to “extended” under Dsskey (in the web client) does not work!

=> Text (e.g. to BLF) is showed in two lines (instead of one) although there is more as enough space on the screen (this works on the T46S).
=> Posted a thread in the Yealink forum the that issue
 
@FredyWenger

Just to be clear about my findings: The cert I am using is chained cert with an intermediate cert. Meaning, Godaddy has a root cert, which signs an intermediate cert, which signs my cert. All must be present to the device making the request to complete the chain.

The issue I discovered is that Yealink only has the root cert (Chrome as an example also contains the intermediate cert), and on the server, you install your cert. That means the intermediate cert is not present. This is the error I encountered and fundamentally, means that the documentation was correct in saying the root cert is present because it is. It just fails to mention the intermediate cert is not.

You just need to attach the intermediate cert. That's what the instruction I provided should help with. Here is more instruction in how I achieved it: https://www.digicert.com/ssl-support/pem-ssl-creation.htm

If you do not have access to the server as you mentioned, you may want to ask your provider to include the intermediate cert in your cert. Otherwise, I think you are stuck.
 
@JParo
Thanks for your further feedback.
As I wrote, It’s not “my” certificate and I have no access to it.
But nevertheless... If I contact the provider, I need detailed information’s and I’m not the “cert specialist”.
If I let me show the (provider-) cert in the browser, I see the following information’s:
v GeoTrust Global CA
v RapidSSL SHA256 CA
*.peoplefone.cloud

So.. peoplefone.cloud is the provider DNS and his key competence is... to run hosted 3cx PBX.

Can you see a reason for the Issue here...?
If yes, what have the provider exactly to do, to solve the problem?

Thanks for a further reply
 
@FredyWenger

If the issue is the same as mine, then your provider needs to add the RapidSSL cert to the *.peoplefone.cloud cert per the link I provided. - https://www.digicert.com/ssl-support/pem-ssl-creation.htm

That said, I'm not positive this is the issue because the RapidSSL_CA_Bundle is supposedly supported on Yealink per this - http://support.yealink.com/faq/faqInfo?id=691 - worth a shot though.

If you have a host who specializes in hosted 3CX solutions, then I think you need to ask them for help. Let them know their certificate doesn't appear to be natively supported by Yealink phones and ask if they have seen this or have a solution. I would have to believe they have run into this before. If his competency is to run a hosted 3cx pbx, then this is honestly his problem and should be core to his competency.
 
  • Like
Reactions: FredyWenger
@FredyWenger

Also of note is you may want to look to another provider or spin up your own cloud instance. 3CX required everyone to upgrade to v15.5 Update 6 and it sounds like your provider is running the multi-tenant edition from v14 which is no longer supported.
 
@JParo:
Thanks for your feedback - I "Like it".
@cobaltit:
Thanks also for your posting.
I have access to the PBX (and 15.5 Update 6 is installed), but I don't have access to the provider domain.
@3cx:
Maybe I can hear something also from 3cx (as this should be a 3cx forum)…?
 
@FredyWenger

Since you can provision the phone with the option "Only Accept Trusted Certificates” disabled then this is a certificate issue. I am guessing that you can access the management console of the PBX with no SSL issues and the only issue is that the phone you are using does not accept your certificate (although it should). Although these phones are supported by 3CX we do not make the firmware for these phones and we do not control what is supported by Yealink. If the phone does not provision when the option "Only Accept Trusted Certificates” then it is the phone not trusting the certificate you used for the phone system.
So this is either a intermediate certificate issue as @JParo suggested or this is a Yealink issue. I would follow the troubleshooting route others suggested. Contact your hosting provider and let them know of the issue and what they can do to solve this and also ask Yealink if further steps are required for the phones to trust your certificate.
 
@YiannisH_3CX:
Thanks for your reply.
I now hat sent an email (support case) to my provider and hope, that I will receive a meaningful answer...
I will post my findings here (as soon as I have it)...
 
  • Like
Reactions: YiannisH_3CX
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,618
Messages
748,842
Members
144,729
Latest member
yparker0320
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.