[cisco-voip] MRA Onboarding via activation code... phone trust list?

Brian Meade bmeade90 at vt.edu
Wed Dec 1 18:05:14 EST 2021 

The phone CA Trust List is part of the phone firmware.

I think this is still the latest-
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cuipph/all_models/ca-list/CA-Trust-List.pdf

I don't see Let's Encrypt in there.

On Wed, Nov 17, 2021 at 9:53 AM Jonathan Charles <jonvoip at gmail.com> wrote:

> OK, TAC never responded to me, but I found the solution.... I did a packet
> capture from the phone and saw it come back with an invalid CA for the
> Let's Encrypt certs... I uploaded the cert chain for Let's Encrypt to
> Phone-Edge-Trust on the CCM Publisher and the phone registered.
>
> Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the phone
> gets the activation code it downloads those certs into its trust store.
>
> This cert store is designed for people using their own internal certs, but
> my phone was a CP-8845-K9=V03 I got in 2017 and probably predates the Lets
> Encrypt CA.... so, if you see TLS error or Invalid CA in the PCAP, it is
> worth a shot to upload the E's external cert chain to the Pub.
>
>
> Jonathan
>
> On Thu, Nov 11, 2021 at 4:57 PM Jonathan Charles <jonvoip at gmail.com>
> wrote:
>
>> Yes, they will, the Expressway E was designed around an ACME cert and
>> Let's Encrypt is super free.
>>
>> Anyway, I think the issue is between the Expressway and CUCM at this
>> point... escalating to TAc...
>>
>>
>> Jonathan
>>
>> On Thu, Nov 11, 2021 at 4:49 PM Brian V <bvanbens at gmail.com> wrote:
>>
>>> WIll the phones trust a LetsEncrypt cert ?
>>> Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root CA
>>> certs on a regular basis
>>> The trusted certs in the phone have to be placed there in the software
>>> by Cisco.
>>> This might be a situation where newer code on a phone is required if the
>>> trusted Root CA (or chain) for Lets Encrypt is missing on the phone.
>>>
>>> On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff <mhuff at ox.com> wrote:
>>>
>>>> I wouldn’t put a lot of weight in the status on the phone with the TLS
>>>> error, I’ve seen that with working phones. Do you have the phone MRA domain
>>>> set? We have a separate device pool for MRA devices so it can set the time
>>>> from external ntp sources. If the time on the phone is off, the crypto
>>>> can fail as well.
>>>>
>>>>
>>>>
>>>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>>>
>>>>
>>>>
>>>> *Office: 914-460-4039*
>>>>
>>>> *mhuff at ox.com <mhuff at ox.com> | **www.ox.com <http://www.ox.com>*
>>>>
>>>>
>>>> *...........................................................................................................................................*
>>>>
>>>>
>>>>
>>>> *From:* Jonathan Charles <jonvoip at gmail.com>
>>>> *Sent:* Thursday, November 11, 2021 11:50 AM
>>>> *To:* Matthew Huff <mhuff at ox.com>
>>>> *Cc:* Brian Meade <bmeade90 at vt.edu>; cisco-voip voyp list <
>>>> cisco-voip at puck.nether.net>
>>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
>>>> phone trust list?
>>>>
>>>>
>>>>
>>>> It is running 12.8... it has been locally reg'd before...
>>>>
>>>>
>>>>
>>>> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mhuff at ox.com> wrote:
>>>>
>>>> In the lab, have you tried setting up the phone without MRA and get the
>>>> firmware uploaded first? Depending on how old the firmware is, you may have
>>>> issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>>>>
>>>>
>>>>
>>>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>>>
>>>>
>>>>
>>>> *Office: 914-460-4039*
>>>>
>>>> *mhuff at ox.com <mhuff at ox.com> | **www.ox.com <http://www.ox.com>*
>>>>
>>>>
>>>> *...........................................................................................................................................*
>>>>
>>>>
>>>>
>>>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Jonathan
>>>> Charles
>>>> *Sent:* Thursday, November 11, 2021 11:10 AM
>>>> *To:* Brian Meade <bmeade90 at vt.edu>
>>>> *Cc:* cisco-voip voyp list <cisco-voip at puck.nether.net>
>>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
>>>> phone trust list?
>>>>
>>>>
>>>>
>>>> On the phone, we see TLS connection failed... the E's cert is signed by
>>>> Let's Encrypt...
>>>>
>>>>
>>>>
>>>> On the Expressway E we see some certificate exchange and then resets in
>>>> the connection...
>>>>
>>>>
>>>>
>>>> MRA works fine for Jabber.... just 8845 Activation Code onboarding is
>>>> failing...
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Jonathan
>>>>
>>>>
>>>>
>>>> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90 at vt.edu> wrote:
>>>>
>>>> What's the console logs show?
>>>>
>>>>
>>>>
>>>> The Expressway needs to be signed by one of the trusted CAs listed that
>>>> are part of the phone firmware.
>>>>
>>>>
>>>>
>>>> The Expressway cert authenticates the phone with the MIC.
>>>>
>>>>
>>>>
>>>> Do you have activation code onboarding enabled under the MRA config on
>>>> the Expressway-C?
>>>>
>>>>
>>>>
>>>> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip at gmail.com>
>>>> wrote:
>>>>
>>>> So, I set up activation code MRA for an 8845 (lab first)...
>>>>
>>>>
>>>>
>>>> Cloud onboarding worked, got an activation code, tried it out...
>>>>
>>>>
>>>>
>>>> Phone kicks back 'check internet connectivtity' and on the status on
>>>> the phone says:
>>>>
>>>>
>>>>
>>>> GDS Handshake Succeeded
>>>>
>>>> A TLS connection failed...
>>>>
>>>>
>>>>
>>>> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like
>>>> the TLS connection the expressway, but I don't see anything in the
>>>> Expressway logs...
>>>>
>>>>
>>>>
>>>> There is a bug and it says we need to load a Hydrant cert back into the
>>>> trust store...
>>>>
>>>> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>>>>
>>>>
>>>>
>>>> But where do we need to load it? Tomcat Trust? On the Expressways? The
>>>> bug doesn't say... it needs to be pushed to the phone's trust list, how do
>>>> you do that?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>> Jonathan
>>>>
>>>> _______________________________________________
>>>> cisco-voip mailing list
>>>> cisco-voip at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>
>>>> _______________________________________________
>>>> cisco-voip mailing list
>>>> cisco-voip at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>
>>> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20211201/73557691/attachment.htm>

More information about the cisco-voip mailing list