[cisco-voip] MRA Onboarding via activation code... phone trust list?

Jonathan Charles jonvoip at gmail.com
Wed Nov 17 18:00:20 EST 2021 

I asked TAC for it and they just sent me the CAPF doco...

However, I found:
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-7/exwy_b_mra-deployment/exwy_m_provisioning-mra-devices.html

[image: image.png]

But it seems to suggest only your internal CA needs to be in there...


Jonathan

On Wed, Nov 17, 2021 at 4:49 PM Brian V <bvanbens at gmail.com> wrote:

> @Jonathan Charles <jonvoip at gmail.com>  one very interesting thing you
> mentioned
> " *Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the
> phone gets the activation code it downloads those certs into its trust
> store.*"
> Would you happen to know where that is documented, and if so share
> the link ?  I was not aware of that.
> So you did NOT need to bring the phone back inside the network to have it
> learn about the new Root CA Trust Cert / Chain ?
> thats cool !
>
> On Wed, Nov 17, 2021 at 8:45 AM Jonathan Charles <jonvoip at gmail.com>
> wrote:
>
>> OK, TAC never responded to me, but I found the solution.... I did a
>> packet capture from the phone and saw it come back with an invalid CA for
>> the Let's Encrypt certs... I uploaded the cert chain for Let's Encrypt to
>> Phone-Edge-Trust on the CCM Publisher and the phone registered.
>>
>> Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the phone
>> gets the activation code it downloads those certs into its trust store.
>>
>> This cert store is designed for people using their own internal certs,
>> but my phone was a CP-8845-K9=V03 I got in 2017 and probably predates the
>> Lets Encrypt CA.... so, if you see TLS error or Invalid CA in the PCAP, it
>> is worth a shot to upload the E's external cert chain to the Pub.
>>
>>
>> Jonathan
>>
>> On Thu, Nov 11, 2021 at 4:57 PM Jonathan Charles <jonvoip at gmail.com>
>> wrote:
>>
>>> Yes, they will, the Expressway E was designed around an ACME cert and
>>> Let's Encrypt is super free.
>>>
>>> Anyway, I think the issue is between the Expressway and CUCM at this
>>> point... escalating to TAc...
>>>
>>>
>>> Jonathan
>>>
>>> On Thu, Nov 11, 2021 at 4:49 PM Brian V <bvanbens at gmail.com> wrote:
>>>
>>>> WIll the phones trust a LetsEncrypt cert ?
>>>> Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root
>>>> CA certs on a regular basis
>>>> The trusted certs in the phone have to be placed there in the software
>>>> by Cisco.
>>>> This might be a situation where newer code on a phone is required if
>>>> the trusted Root CA (or chain) for Lets Encrypt is missing on the phone.
>>>>
>>>> On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff <mhuff at ox.com> wrote:
>>>>
>>>>> I wouldn’t put a lot of weight in the status on the phone with the TLS
>>>>> error, I’ve seen that with working phones. Do you have the phone MRA domain
>>>>> set? We have a separate device pool for MRA devices so it can set the time
>>>>> from external ntp sources. If the time on the phone is off, the
>>>>> crypto can fail as well.
>>>>>
>>>>>
>>>>>
>>>>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>>>>
>>>>>
>>>>>
>>>>> *Office: 914-460-4039*
>>>>>
>>>>> *mhuff at ox.com <mhuff at ox.com> | **www.ox.com <http://www.ox.com>*
>>>>>
>>>>>
>>>>> *...........................................................................................................................................*
>>>>>
>>>>>
>>>>>
>>>>> *From:* Jonathan Charles <jonvoip at gmail.com>
>>>>> *Sent:* Thursday, November 11, 2021 11:50 AM
>>>>> *To:* Matthew Huff <mhuff at ox.com>
>>>>> *Cc:* Brian Meade <bmeade90 at vt.edu>; cisco-voip voyp list <
>>>>> cisco-voip at puck.nether.net>
>>>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
>>>>> phone trust list?
>>>>>
>>>>>
>>>>>
>>>>> It is running 12.8... it has been locally reg'd before...
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mhuff at ox.com> wrote:
>>>>>
>>>>> In the lab, have you tried setting up the phone without MRA and get
>>>>> the firmware uploaded first? Depending on how old the firmware is, you may
>>>>> have issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>>>>>
>>>>>
>>>>>
>>>>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>>>>
>>>>>
>>>>>
>>>>> *Office: 914-460-4039*
>>>>>
>>>>> *mhuff at ox.com <mhuff at ox.com> | **www.ox.com <http://www.ox.com>*
>>>>>
>>>>>
>>>>> *...........................................................................................................................................*
>>>>>
>>>>>
>>>>>
>>>>> *From:* cisco-voip <cisco-voip-bounces at puck.nether.net> *On Behalf Of
>>>>> *Jonathan Charles
>>>>> *Sent:* Thursday, November 11, 2021 11:10 AM
>>>>> *To:* Brian Meade <bmeade90 at vt.edu>
>>>>> *Cc:* cisco-voip voyp list <cisco-voip at puck.nether.net>
>>>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
>>>>> phone trust list?
>>>>>
>>>>>
>>>>>
>>>>> On the phone, we see TLS connection failed... the E's cert is signed
>>>>> by Let's Encrypt...
>>>>>
>>>>>
>>>>>
>>>>> On the Expressway E we see some certificate exchange and then resets
>>>>> in the connection...
>>>>>
>>>>>
>>>>>
>>>>> MRA works fine for Jabber.... just 8845 Activation Code onboarding is
>>>>> failing...
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Jonathan
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90 at vt.edu> wrote:
>>>>>
>>>>> What's the console logs show?
>>>>>
>>>>>
>>>>>
>>>>> The Expressway needs to be signed by one of the trusted CAs listed
>>>>> that are part of the phone firmware.
>>>>>
>>>>>
>>>>>
>>>>> The Expressway cert authenticates the phone with the MIC.
>>>>>
>>>>>
>>>>>
>>>>> Do you have activation code onboarding enabled under the MRA config on
>>>>> the Expressway-C?
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip at gmail.com>
>>>>> wrote:
>>>>>
>>>>> So, I set up activation code MRA for an 8845 (lab first)...
>>>>>
>>>>>
>>>>>
>>>>> Cloud onboarding worked, got an activation code, tried it out...
>>>>>
>>>>>
>>>>>
>>>>> Phone kicks back 'check internet connectivtity' and on the status on
>>>>> the phone says:
>>>>>
>>>>>
>>>>>
>>>>> GDS Handshake Succeeded
>>>>>
>>>>> A TLS connection failed...
>>>>>
>>>>>
>>>>>
>>>>> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't
>>>>> like the TLS connection the expressway, but I don't see anything in the
>>>>> Expressway logs...
>>>>>
>>>>>
>>>>>
>>>>> There is a bug and it says we need to load a Hydrant cert back into
>>>>> the trust store...
>>>>>
>>>>> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>>>>>
>>>>>
>>>>>
>>>>> But where do we need to load it? Tomcat Trust? On the Expressways? The
>>>>> bug doesn't say... it needs to be pushed to the phone's trust list, how do
>>>>> you do that?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Thanks!
>>>>>
>>>>>
>>>>>
>>>>> Jonathan
>>>>>
>>>>> _______________________________________________
>>>>> cisco-voip mailing list
>>>>> cisco-voip at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>
>>>>> _______________________________________________
>>>>> cisco-voip mailing list
>>>>> cisco-voip at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20211117/ce761d79/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 45054 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20211117/ce761d79/attachment.png>

More information about the cisco-voip mailing list