[cisco-voip] MRA Onboarding via activation code... phone trust list?

Brian V bvanbens at gmail.com
Thu Nov 11 17:49:02 EST 2021


WIll the phones trust a LetsEncrypt cert ?
Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root CA
certs on a regular basis
The trusted certs in the phone have to be placed there in the software by
Cisco.
This might be a situation where newer code on a phone is required if the
trusted Root CA (or chain) for Lets Encrypt is missing on the phone.

On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff <mhuff at ox.com> wrote:

> I wouldn’t put a lot of weight in the status on the phone with the TLS
> error, I’ve seen that with working phones. Do you have the phone MRA domain
> set? We have a separate device pool for MRA devices so it can set the time
> from external ntp sources. If the time on the phone is off, the crypto
> can fail as well.
>
>
>
> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>
>
>
> *Office: 914-460-4039*
>
> *mhuff at ox.com <mhuff at ox.com> | **www.ox.com <http://www.ox.com>*
>
>
> *...........................................................................................................................................*
>
>
>
> *From:* Jonathan Charles <jonvoip at gmail.com>
> *Sent:* Thursday, November 11, 2021 11:50 AM
> *To:* Matthew Huff <mhuff at ox.com>
> *Cc:* Brian Meade <bmeade90 at vt.edu>; cisco-voip voyp list <
> cisco-voip at puck.nether.net>
> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
> trust list?
>
>
>
> It is running 12.8... it has been locally reg'd before...
>
>
>
> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mhuff at ox.com> wrote:
>
> In the lab, have you tried setting up the phone without MRA and get the
> firmware uploaded first? Depending on how old the firmware is, you may have
> issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>
>
>
> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>
>
>
> *Office: 914-460-4039*
>
> *mhuff at ox.com <mhuff at ox.com> | **www.ox.com <http://www.ox.com>*
>
>
> *...........................................................................................................................................*
>
>
>
> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Jonathan
> Charles
> *Sent:* Thursday, November 11, 2021 11:10 AM
> *To:* Brian Meade <bmeade90 at vt.edu>
> *Cc:* cisco-voip voyp list <cisco-voip at puck.nether.net>
> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
> trust list?
>
>
>
> On the phone, we see TLS connection failed... the E's cert is signed by
> Let's Encrypt...
>
>
>
> On the Expressway E we see some certificate exchange and then resets in
> the connection...
>
>
>
> MRA works fine for Jabber.... just 8845 Activation Code onboarding is
> failing...
>
>
>
>
>
> Jonathan
>
>
>
> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90 at vt.edu> wrote:
>
> What's the console logs show?
>
>
>
> The Expressway needs to be signed by one of the trusted CAs listed that
> are part of the phone firmware.
>
>
>
> The Expressway cert authenticates the phone with the MIC.
>
>
>
> Do you have activation code onboarding enabled under the MRA config on the
> Expressway-C?
>
>
>
> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip at gmail.com> wrote:
>
> So, I set up activation code MRA for an 8845 (lab first)...
>
>
>
> Cloud onboarding worked, got an activation code, tried it out...
>
>
>
> Phone kicks back 'check internet connectivtity' and on the status on the
> phone says:
>
>
>
> GDS Handshake Succeeded
>
> A TLS connection failed...
>
>
>
> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like
> the TLS connection the expressway, but I don't see anything in the
> Expressway logs...
>
>
>
> There is a bug and it says we need to load a Hydrant cert back into the
> trust store...
>
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>
>
>
> But where do we need to load it? Tomcat Trust? On the Expressways? The bug
> doesn't say... it needs to be pushed to the phone's trust list, how do you
> do that?
>
>
>
>
>
> Thanks!
>
>
>
> Jonathan
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20211111/787bac77/attachment.htm>


More information about the cisco-voip mailing list