Some phones unregistered after a random freeswitch restart. Can't get them to re-register.

Status
Not open for further replies.

aitp/nadmin

Member
May 11, 2019
38
2
8
Hi FPBX community!

Last night the freeswitch(1.10.5) service restarted on our FPBX box. Everything came back up except for about half of our extensions.... I've tried factory resetting the Yealink phones which are unregistered, and I see the updated timestamp in RPS, but I don't have any registration on the FPBX side. I tried a sngrep and searching for the extension during reset, but I didn't see anything there either...

Does anyone have any advice for me about where I should begin looking? Thanks in advance for your expertise and guidance.

respectfully,
aitp/nadmin
 

gflow

Active Member
Aug 25, 2019
261
28
28
Yep same thing happened to me yesterday, clients couldn’t access their remote directory and if they factory reset the handset it wouldn’t auto provision. To fix it I disabled checking for valid certificates and changed the provisioning URL in RPS from HTTPS to HTTP.
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,386
364
83
We have seen the same thing yesterday. I am convinced that it is related to the expiry of IdenTrust’s “DST Root CA X3” certificate. This will affect more than just Letsencrypt.

According to what I have read most Yealink devices with a firmware revision above 80 should have the newer ISRG Root X1 installed and should therefore work OK. But I saw a lot of seemingly random things happening yesterday, I'm just about to start looking at it again today.

I had phones with the latest firmware stop provisioning, then later in the day after several cold reboots started working again. I have had phones that would provision OK but refuse to download the directories (directory.xml). What I found very alarming was Yealink W60Bs going for http when the provision URL is clearly set to https!

Provisioning over http over the internet is a sure way to get hacked!

Disabling the check for valid certificates does seem to be a viable work around for now, but it does leave customers exposed to a potential man in the middle attack.
 

gflow

Active Member
Aug 25, 2019
261
28
28
We have seen the same thing yesterday. I am convinced that it is related to the expiry of IdenTrust’s “DST Root CA X3” certificate. This will affect more than just Letsencrypt.

According to what I have read most Yealink devices with a firmware revision above 80 should have the newer ISRG Root X1 installed and should therefore work OK. But I saw a lot of seemingly random things happening yesterday, I'm just about to start looking at it again today.

I had phones with the latest firmware stop provisioning, then later in the day after several cold reboots started working again. I have had phones that would provision OK but refuse to download the directories (directory.xml). What I found very alarming was Yealink W60Bs going for http when the provision URL is clearly set to https!

Provisioning over http over the internet is a sure way to get hacked!

Disabling the check for valid certificates does seem to be a viable work around for now, but it does leave customers exposed to a potential man in the middle attack.
All my my client handsets have at minimum firmware version 84 and almost all of them had an issue, although like you say not all of them which is weird.

I plan on switching back to HTTPS asap just trying to figure out what the best new certificate to get is (any recommendations?).

One issue I had is that for some reason I couldn't change the setting "check for valid certificates" unless the client factory reset the handset however when using HTTPS to provision it wouldn't get the settings because by default it will check for certificates.
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,386
364
83
I plan on switching back to HTTPS asap just trying to figure out what the best new certificate to get is (any recommendations?).
I found a note attached to the Yealink trusted certificates table:
Note: ISRG Root X1, Let’s Encrypt Authority X1 and Let’s Encrypt Authority X2 certificates are only applicable to SIP-T48G/T46G/T42G/T41P/T40P/T29G/T27P/T23P/T23G/T21(P) E2/T19(P)E2 IP phones running firmware version X.80.0.95 or later.

This may explain my issues with the T27g and T46s phones.

As for certificates, I needed a wildcard and I found that most of the cheaper providers used root CAs that were not in the Yealink firmware. In the end I used a Geotrust certificate (GeoTrust QuickSSL Premium Wildcard) because this uses the DigiCert Global Root CA which is in the older firmware of Yealink phones.

The new Yealink firmware(s) that I have tested work fine with Letsencrypt and the ISRG X1 Root CA that it uses.
 
  • Like
Reactions: gflow
Status
Not open for further replies.