[cisco-voip] MRA Onboarding via activation code... phone trust list?

Jonathan Charles jonvoip at gmail.com
Thu Nov 11 17:57:49 EST 2021 

Yes, they will, the Expressway E was designed around an ACME cert and Let's
Encrypt is super free.

Anyway, I think the issue is between the Expressway and CUCM at this
point... escalating to TAc...


Jonathan

On Thu, Nov 11, 2021 at 4:49 PM Brian V <bvanbens at gmail.com> wrote:

> WIll the phones trust a LetsEncrypt cert ?
> Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root CA
> certs on a regular basis
> The trusted certs in the phone have to be placed there in the software by
> Cisco.
> This might be a situation where newer code on a phone is required if the
> trusted Root CA (or chain) for Lets Encrypt is missing on the phone.
>
> On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff <mhuff at ox.com> wrote:
>
>> I wouldn’t put a lot of weight in the status on the phone with the TLS
>> error, I’ve seen that with working phones. Do you have the phone MRA domain
>> set? We have a separate device pool for MRA devices so it can set the time
>> from external ntp sources. If the time on the phone is off, the crypto
>> can fail as well.
>>
>>
>>
>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>
>>
>>
>> *Office: 914-460-4039*
>>
>> *mhuff at ox.com <mhuff at ox.com> | **www.ox.com <http://www.ox.com>*
>>
>>
>> *...........................................................................................................................................*
>>
>>
>>
>> *From:* Jonathan Charles <jonvoip at gmail.com>
>> *Sent:* Thursday, November 11, 2021 11:50 AM
>> *To:* Matthew Huff <mhuff at ox.com>
>> *Cc:* Brian Meade <bmeade90 at vt.edu>; cisco-voip voyp list <
>> cisco-voip at puck.nether.net>
>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
>> trust list?
>>
>>
>>
>> It is running 12.8... it has been locally reg'd before...
>>
>>
>>
>> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mhuff at ox.com> wrote:
>>
>> In the lab, have you tried setting up the phone without MRA and get the
>> firmware uploaded first? Depending on how old the firmware is, you may have
>> issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>>
>>
>>
>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>
>>
>>
>> *Office: 914-460-4039*
>>
>> *mhuff at ox.com <mhuff at ox.com> | **www.ox.com <http://www.ox.com>*
>>
>>
>> *...........................................................................................................................................*
>>
>>
>>
>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of *Jonathan
>> Charles
>> *Sent:* Thursday, November 11, 2021 11:10 AM
>> *To:* Brian Meade <bmeade90 at vt.edu>
>> *Cc:* cisco-voip voyp list <cisco-voip at puck.nether.net>
>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
>> trust list?
>>
>>
>>
>> On the phone, we see TLS connection failed... the E's cert is signed by
>> Let's Encrypt...
>>
>>
>>
>> On the Expressway E we see some certificate exchange and then resets in
>> the connection...
>>
>>
>>
>> MRA works fine for Jabber.... just 8845 Activation Code onboarding is
>> failing...
>>
>>
>>
>>
>>
>> Jonathan
>>
>>
>>
>> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90 at vt.edu> wrote:
>>
>> What's the console logs show?
>>
>>
>>
>> The Expressway needs to be signed by one of the trusted CAs listed that
>> are part of the phone firmware.
>>
>>
>>
>> The Expressway cert authenticates the phone with the MIC.
>>
>>
>>
>> Do you have activation code onboarding enabled under the MRA config on
>> the Expressway-C?
>>
>>
>>
>> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip at gmail.com> wrote:
>>
>> So, I set up activation code MRA for an 8845 (lab first)...
>>
>>
>>
>> Cloud onboarding worked, got an activation code, tried it out...
>>
>>
>>
>> Phone kicks back 'check internet connectivtity' and on the status on the
>> phone says:
>>
>>
>>
>> GDS Handshake Succeeded
>>
>> A TLS connection failed...
>>
>>
>>
>> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like
>> the TLS connection the expressway, but I don't see anything in the
>> Expressway logs...
>>
>>
>>
>> There is a bug and it says we need to load a Hydrant cert back into the
>> trust store...
>>
>> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>>
>>
>>
>> But where do we need to load it? Tomcat Trust? On the Expressways? The
>> bug doesn't say... it needs to be pushed to the phone's trust list, how do
>> you do that?
>>
>>
>>
>>
>>
>> Thanks!
>>
>>
>>
>> Jonathan
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20211111/863b7ff1/attachment.htm>

More information about the cisco-voip mailing list