Remote Provision status 404

Discussion in '3CX Phone System - General' started by gyates82, Aug 7, 2016.

Thread Status:
Not open for further replies.
  1. gyates82

    Joined:
    Aug 7, 2016
    Messages:
    5
    Likes Received:
    0
    After upgrading to v15 sp1; the 3cx.us provision url comes back as 404 not found.
    Ideas?
     
  2. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    4,349
    Likes Received:
    274
    Hello there,

    Could you please specify to what build number you are currently on? You can see this in the Dashboard section of the management console under the information section.

    Also what phones are you using and how are you trying to provision the phones?

    Remote STUN, RPS or behind SBC?

    give us some information to go on.

    Awaiting your reply
     
  3. gyates82

    Joined:
    Aug 7, 2016
    Messages:
    5
    Likes Received:
    0
    15.0.57336.0

    STUN - Remote https: //pclpbx.3cx.us:5001/provisioning/y6zlagjydw
     
  4. gyates82

    Joined:
    Aug 7, 2016
    Messages:
    5
    Likes Received:
    0
    Actually it returns 404 on the internal network as well.

    http: //10.0.0.7:5000/provisioning/y6zlagjydw

    Failed to load resource: the server responded with a status of 404 (Not Found)
     
  5. NickD_3CX

    NickD_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Jun 2, 2014
    Messages:
    1,243
    Likes Received:
    61
    Check that all the 3CX services are started, then you might want to check the log files found in C:\Program Files\3CX Phone System\Bin\nginx\logs\ , these may point to the reason why it is not working.

    Also, just putting the Provisioning Link is not enough. Don't forget to append the filename of a Config File as well. for example if you have a Yealink phone with MAC Address 112233445566, the prov link you should enter to test would be:
    http: //10.0.0.7:5000/provisioning/y6zlagjydw/112233445566.cfg
     
  6. Anonymous

    Anonymous Guest

    3CX - This is very frustrating.

    Here is what I've found

    Yealink phones by default have "security.trust_certificate" set to true. This means that if a certificate is not signed by a trusted CA, the phone will not accept any provisioning files from an https connection. Yealink does not include any trusted CAs and so provisioning files referenced by https urls will never work. - and all 3CX ver 15 provisioning files are https

    Either:
    1) manually modify the security.trust_certificate parameter found on the Security / Trusted Certificates tab as "Only Accept Trusted Certificates" to Disabled / False so it will accept https urls or
    2) modify the NGINX webserver settings to allow for non https connections and ensure the provisioning urls are http or
    3) possibly manually upgrade the phone firmware to the latest version which may trust the new CA used by 3CX.

    Either way, more planning should be included on this before its released.

    And just for the record - 3CX has a world class sales team, marketing team, executive and dev team that do a lot of amazing things. There are some very impressive people at 3cx. These last three 12,14 and now 15 are released too early - please replace your product management team.
     
  7. NickD_3CX

    NickD_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Jun 2, 2014
    Messages:
    1,243
    Likes Received:
    61
    That is not exactly true, Yealink does have a list of Trusted CAs built into each firmware, this though is not visible as far as I know through the phones UI. An example of this, although for a really old firmware, is the following document by Yealink:
    https://www.google.com/url?sa=t&rct....1.pdf&usg=AFQjCNHRIwdvhVQrYC3-EKzGbiDuiUh2_A

    FYI, support for "Let's Encrypt" Certificates was just added in firmware x.80.0.130.

    In regards to allowing HTTP connections from the WAN, we decided to make this a 'must' to ramp up security. If you want, at your won risk, you can modify the nginx settings to allow this. If you decide to wonder into this area, I would HIGHLY recommend backing up the original nginx.conf file which is located in directory C:\Program Files\3CX Phone System\Bin\nginx\conf\ .
     
  8. Anonymous

    Anonymous Guest

    Hi Nick, Agree with you on the nginx config modification - don't do it. Disagree that its an immediate must. Most folks would roll this out over a year or more to allow the all the pieces to match up first.

    by the way, I include the community support my world class declaration. I think you guys do an amazing job of community support and blog output. kudos to the 3CX executive for deciding to fund a community team and to your team for doing a great job. - Please convince the product management team to be a lot more conservative in their changes.
     
  9. h21

    h21

    Joined:
    Mar 31, 2014
    Messages:
    4
    Likes Received:
    1
    [/quote]
    In regards to allowing HTTP connections from the WAN, we decided to make this a 'must' to ramp up security. If you want, at your won risk, you can modify the nginx settings to allow this.[/quote]


    Can you advise how this can be completed?


    The reason why I ask - as we completely understand and agree with the need for HTTPS by default - not having an option for HTTP has caused issues with the remote provisioning for our clients.

    Why is this so? For one example; we have a client moving from v14 multi-tenant to v15 single instance due to need for new features. They have about 150 Yealink T28P Phones in their offices + 50 mixed newer phones. Yealink T28P does not have our certificate in its trusted store thus remote provisioning does not work (wireshark response: Unknown CA). We have a wildcard certificate from Starfield Secure Certificate Authority - G2.


    Alternatively if you don't want advise customers how to enable HTTP remote provisioning, if you really want ALL phones to use HTTPS and be secure -- Release ROMs that include modern CA's in their trusted store.

    You guys created new ROMS for all phones with lets encrypt support - This is awesome! - Would it be difficult to do this again for all modern CA's?


    Would really appreciate advice on this, Thanks.
     
  10. h21

    h21

    Joined:
    Mar 31, 2014
    Messages:
    4
    Likes Received:
    1
    Just FYI I figured out how to do it myself, leaving this here for anyone that needs a quick fix.


    This is how to allow HTTP connections on Windows server with 3cx v15 nginx - Useful for remote provisioning with end of life Phones that don't have modern CA in their trusted store.


    Edit this file with notepad:

    C:\Program Files\3CX Phone System\Bin\nginx\conf\nginx.conf


    Locate this section:

    server {
    listen 80;
    server_name example.example.com.au;

    location / {
    allow 192.168.0.0/16;
    allow 172.16.0.0/12;
    allow 10.0.0.0/8;
    allow 127.0.0.1;
    deny all;


    If you just want to allow ALL (UNSECURE) then do the following:

    location / {
    allow all;


    Alternatively, if you know your clients source IP addressing, allow them and deny the rest (HIGHLY Recommended if you are going to do this):

    location / {
    allow 123.123.123.123/32;
    allow 134.134.134.134/32;
    allow 127.0.0.1;
    deny all;



    Save the file, go to run>services.msc and restart "3cx PhoneSystem Nginx Server". Done.


    Still hoping for more information from 3cx on this about getting modern CA's in the older phones' ROM, but its a big ask.
     
  11. Anonymous

    Anonymous Guest

    I like your solution, Its generally safe to allow http for internal IP as in most cases internal IPs are in safe protected company zones and less accessible to global hackers.

    Nice Solution.
     
Thread Status:
Not open for further replies.