Chain certificate installation

Occasional Advisor

Chain certificate installation

Hello all, I'll just post the phone model and firmware versions below:

 

Phone Model: SoundStation IP 5000

Part Number: 3111-30900-001 Rev:H

UC Software Version: 4.1.1.0731

BootROM Software Version: 5.1.1.0132

 

I'm attempting to connect the phone to our Lync 2010 environment and we use SSL certificates with an intermediate CA; I've been using the following link to import the certificates on the phone using an XML .cfg file:

 

http://blog.schertz.name/2012/11/importing-certificates-polycom-ucs/

 

My question is, in what order do I import the certificate chain - is it something like the below:

 

Application CA 5 = Intermediate certificate

Application CA 6 = root certificate

 

...or is it in a different order?

 

Thanks for any help.

Message 1 of 9
8 REPLIES
Polycom Employee & Community Manager

Re: Chain certificate installation

Hello @Enfield303,

welcome back to the Polycom community.

Some or a couple of your old post(s) or reply(s) to them => here <= are still open / pending as you have not marked these as "Accept as a solution" or at least provided some form of feedback or answer.

If they are in this state nobody finding them via a community search will know if an answer or advice provided was useful and has maybe helped you.

Could you therefore kindly go over them and mark or answer as appropriate ?

If they are marked as "Accept as a solution" other users can find these easier and it helps them to utilise the community more efficiently. Please do not simply mark them without any type of feedback.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

Please be aware:

The purpose of these forums is to allow community members collaborate and help each other.
Questions posted here do not follow Polycom’s SLA guidelines.
If you require assistance from Polycom technical support, please open a
web service request or call us .

The above is necessary in order to track issue internally within Polycom.

You are welcome to post more questions or configuration or logs for other community members to look at but if your issue requires a fix via Polycom you must go via the official support structure.

Please ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

This forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Polycom employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and may be answered on weekends, bank holidays or personal holidays.
Message 2 of 9
Polycom Employee & Community Manager

Re: Chain certificate installation

Hello @Enfield303,

 

welcome back to the Polycom Community.


Newer Phones and software can usually extract the Certificate in question from LDAP when signing into Skype for Business and place this automatically into sec.TLS.customCaCert.6.

 

In your case I suggest you use sec.TLS.customCACert.4 for the Root and sec.TLS.customCACert.5 for the intermediate.

 

Your reseller from another case was Scansource so they can open a ticket with Polycom support.


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

 

Best Regards

 

Steffen Baier

 

Polycom Global Services

Please be aware:

The purpose of these forums is to allow community members collaborate and help each other.
Questions posted here do not follow Polycom’s SLA guidelines.
If you require assistance from Polycom technical support, please open a
web service request or call us .

The above is necessary in order to track issue internally within Polycom.

You are welcome to post more questions or configuration or logs for other community members to look at but if your issue requires a fix via Polycom you must go via the official support structure.

Please ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

This forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Polycom employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and may be answered on weekends, bank holidays or personal holidays.
Message 3 of 9
Occasional Advisor

Re: Chain certificate installation

Thanks for getting back to me Steffen; we purchased the phone though Insight (https://www.uk.insight.com/en-gb)  - I did ask them to open a support ticket with Polycom on our behalf but the upshot was that they told us all they can do is replace the phone, I'm afraid I can't remember the reason why they couldn't open a support ticket.

 

I have imported the certificates and placed them in the application containers as you suggested:

 

Application CA 4 - root certificate

Application CA 5 - sub certificate

 

However I'm still getting TLS connection issues in the logs:

 

000017.362|sip  |*|03|Sip Register Usr:myuser@domain.com Dsp:IT 3730 Auth:'Using Login Cred' Inx:0
000017.372|app1 |4|03|[AppHybridC::procCfgParamChange] unexpected line index=(-1)
000017.394|app1 |4|03|Unexpected Event: State: AppStateMenu, Event: AppEvLclCfgWebServerInitialized
000017.542|utilm|4|03|uBLFCompressed: File /ffs0/local/local-directory_xml.zzz does not exist or is empty
000017.576|utilm|4|03|uBLFCompressed: File /ffs0/local/local-directory_xml.zzz does not exist or is empty
000017.630|cfg  |*|03|Prov|Starting to update 3111-30900-001.sip.ld
000018.882|cfg  |*|03|Prov|Finished updating configuration
000021.482|sip  |*|03|Fast Boot Measurement Point: Ready for Call, uptime: 21.482 sec.
000022.106|sip  |4|03|Server certificate verification failed, Untrusted Cetificate
000022.110|sip  |4|03|MakeTlsConnection: SSL_connect error 1
000022.110|sip  |4|03|MakeTlsConnection: connection failed error -1
000022.898|sip  |4|03|Server certificate verification failed, Untrusted Cetificate
000022.902|sip  |4|03|MakeTlsConnection: SSL_connect error 1
000022.902|sip  |4|03|MakeTlsConnection: connection failed error -1
000022.902|sip  |4|03|Registration failed User: myuser, Error Code:480 Temporarily not available
Message 4 of 9
Polycom Employee & Community Manager

Re: Chain certificate installation

Hello @Enfield303,

 

The FAQ has this post:

 

Jan 17, 2017 Question:How can I troubleshoot simple Skype for Business, LYNC or Office365 issues?

Resolution: Have a look => here <=

 

Briefly looking at your log the phone has not got an NTP time.

 

SIP is not at debug or you would see more details.

 

The other phone came originally from Scansource so I would try them for support.


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

Please be aware:

The purpose of these forums is to allow community members collaborate and help each other.
Questions posted here do not follow Polycom’s SLA guidelines.
If you require assistance from Polycom technical support, please open a
web service request or call us .

The above is necessary in order to track issue internally within Polycom.

You are welcome to post more questions or configuration or logs for other community members to look at but if your issue requires a fix via Polycom you must go via the official support structure.

Please ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

This forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Polycom employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and may be answered on weekends, bank holidays or personal holidays.
Message 5 of 9
Occasional Visitor

Re: Chain certificate installation

WHERE CAN I ASK A QUESTION / START DISCUSSION PLEASE ??? 

Something wrong with my account ??  (Found no Button to start / ask !!) 

Message 6 of 9
Polycom Employee & Community Manager

Re: Chain certificate installation

Please check https://community.polycom.com/t5/Community-Announcements-and/How-Do-I-Sign-In-and-Post/m-p/10

Please be aware:

The purpose of these forums is to allow community members collaborate and help each other.
Questions posted here do not follow Polycom’s SLA guidelines.
If you require assistance from Polycom technical support, please open a
web service request or call us .

The above is necessary in order to track issue internally within Polycom.

You are welcome to post more questions or configuration or logs for other community members to look at but if your issue requires a fix via Polycom you must go via the official support structure.

Please ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

This forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Polycom employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and may be answered on weekends, bank holidays or personal holidays.
Message 7 of 9
Occasional Advisor

Re: Chain certificate installation

Thankyou Steffan, I've added the SNTP server address which has gotten rid of most of the TLS errors; I'm now seeing the following when entering the domain credentials to connecto to Lync:

 

1204155319|so   |4|03|[soRegistrationC] Login Credentials valid causing SoRegEventLine Changed
1204155320|app1 |*|03|SoRegistrationEventLineChanged - success lineIndex 0 RegListSize 0
1204155320|app1 |*|03|SoRegistrationEventLast - new AppRegLineC, szUser = user@domain.com
1204155320|app1 |4|03|[AppHybridC::procCfgParamChange] unexpected line index=(-1)
1204155320|sip  |*|03|Sip UnRegister Usr:SSIP Dsp:SoundStation IP Auth:'' Inx:0
1204155320|sip  |*|03|SipUserRemove: user 0 being removed.
1204155320|sip  |*|03|Sip Register Usr:user@domain.com Dsp:user Auth:'Using Login Cred' Inx:0
1204155326|sip  |*|03|User removed
1204155326|sip  |5|03|m_nTLSDSKState = TLSDSK_INIT : pNtlmDomain or m_csAuthDomain is NULL
1204155326|sip  |5|03|Unsupported authentication
1204155327|sip  |4|03|CTcpSocket::Abandon connected socket. Send Message 0x94e32780
1204155327|cfg  |4|03|RT|SIP is settting Login Credentials to invalid
1204155327|so   |4|03|[soRegistrationC] Login Credentials invalid causing SoRegEventLine Deleted
1204155327|sip  |4|03|Registration failed User: user, Error Code:480 Temporarily not available
1204155327|sip  |4|03|CTcpSocket::TlsListenThread: SSL_get_error Error code=5
1204155327|sip  |4|03|TLS Listen Thread Exit
1204155328|app1 |*|03|SoRegistrationEventLineDeleted - new AppRegLineC, Default user
1204155328|app1 |4|03|[AppHybridC::procCfgParamChange] unexpected line index=(-1)
1204155328|sip  |*|03|Sip UnRegister Usr:user@domain.com Dsp:user Auth:'' Inx:0
1204155328|sip  |*|03|SipUserRemove: user 0 being removed.
1204155328|sip  |*|03|Sip Register Usr:SSIP Dsp:SoundStation IP Auth:'Using Login Cred' Inx:0
1204155333|sip  |*|03|User removed

As you can see from the above it seems to successfully register then then it unregisters because of  pNtlmDomain or m_csAuthDomain is NULL - I've definitley entered the domain netBIOS name in the phone configuration so I'm not sure why its complaining about that.

Message 8 of 9
Highlighted
Polycom Employee & Community Manager

Re: Chain certificate installation

Hello @Enfield303,

 

As already stated I cannot provide free support via the community.


End Customers are unable to open a ticket directly with Polycom support.

Your reseller from another case was Scansource so they can open a ticket with Polycom support.


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

Please be aware:

The purpose of these forums is to allow community members collaborate and help each other.
Questions posted here do not follow Polycom’s SLA guidelines.
If you require assistance from Polycom technical support, please open a
web service request or call us .

The above is necessary in order to track issue internally within Polycom.

You are welcome to post more questions or configuration or logs for other community members to look at but if your issue requires a fix via Polycom you must go via the official support structure.

Please ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's

Please remember, if you see a post that helped you , and it answers your question, please mark it as an "Accept as Solution".

This forum reply or post is based upon my personal experience and does not reflect the opinion or view of my employer.
Polycom employee participation within this community is not mandatory and any post or FAQ article provided by myself is done either during my working hours or outside working hours, in my private time, and may be answered on weekends, bank holidays or personal holidays.
Message 9 of 9