Plantronics + Polycom. Now together as Poly Logo

SHA2 Certificate Upgrade - Issues Registering to Skype for Business

Highlighted
Regular Advisor

SHA2 Certificate Upgrade - Issues Registering to Skype for Business

Hello,

 

We recently upgraded our internal CA to use SHA2 and added an intermediate cert.

 

We are unable to login to Skype for Business using the SHA2 cert in our QA environment which is also using SHA2 certs.  Our clients work fine, but the VVX phones will not register.

I've manually loaded the entire cert chain to the VVX and we are still seeing issues.

 

Has anyone upgraded to SHA2 and introduced an intermediate cert?  Did your VVX phones have issues registering to Skype?  Any advice?

 

We have not updated our Skype OAUTH cert yet because that will update everywhere in our Skype environment.

 

For reference:

 

VVX Software:

UC Software Version 5.4.3.2036

Updater Version 5.6.3.1790

We do have a provisioning server.

 

Any help is greatly appreciated.

 

Thanks

Sean

 

 

Message 1 of 5
4 REPLIES 4
Highlighted
Polycom Employee & Community Manager

Re: SHA2 Certificate Upgrade - Issues Registering to Skype for Business

Hello @Sean.Stanley66,

welcome back to the Polycom Community.

SHA2 is supported but without any logs or in parallel a wireshark trace to see the exchange we cannot help you on this issue.

 

You can post logs / wireshark traces here but for Polycom to help this needs to come into support.


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 2 of 5
Highlighted
Regular Advisor

Re: SHA2 Certificate Upgrade - Issues Registering to Skype for Business

Thanks, Steffen.

 

Main log entry that repeats is:

 

0206180411|sip  |4|00|[cert_verify_callback,tcp]:Server certificate verification failed, Untrusted Certificate,error=20
0206180411|sip  |4|00|MakeTlsConnection: SSL_connect error 1
0206180411|sip  |4|00|MakeTlsConnection: connection failed error -1

 

I will open a ticket with support to continue working on this.  I just wasn't sure if someone who has been in this situation could potentially give me a push in the right direction.

 

Thanks

Sean

Message 3 of 5
Highlighted
Regular Advisor

Re: SHA2 Certificate Upgrade - Issues Registering to Skype for Business

Sean,

We don't use an intermediary with our internal CA.  When we had to renew our internal CA cert we added the new and old CA Cert via config file to all our phones.

 

We added the new one to CA 7 and the old one to CA 5 on the phones, only use CA 7 if you have no older Polycom SIP phones or they have different config files.  So you would have three certs CA 6 is managed automatically if you have PIN auth setup. 

 

Attached JPEG for referance.

 

Message 4 of 5
Highlighted
Polycom Employee & Community Manager

Re: SHA2 Certificate Upgrade - Issues Registering to Skype for Business

Hello @Sean.Stanley66,

Try with these logs:

 

Settings > Logging > Global Settings > Global Log Level Limit > Debug
Settings > Logging > Global Settings > Global Log Level Limit > Log File Size (Kbytes) > VVX pr = 1000 or Trio 10000
Settings > Logging > Module Log Level Limits > SIP > Debug
Settings > Logging > Module Log Level Limits > CURL > Event 1

 

Supply them to support once you ensured its not an issue on your end.

 

Best Regards

 

Steffen Baier

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 5 of 5