• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The HP Community is where owners of HP products, like you, volunteer to help each other find solutions.
HP Recommended

Good morning,

 

I am trying to autoprovision the following phone over https, using a server with a non CA signed certificate.

 

Phone Model SoundStation IP 6000
UC Software Version 4.0.8.1547
BootROM Software Version 5.0.8.0935

 

I have the following "device.cfg"  where I tell the device to ignore the CA validation :

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Generated device.cfg Configuration File -->
<polycomConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="polycomConfig.xsd">
  <device device.set="1">
    <device.sec>
      <device.sec.TLS>
        <device.sec.TLS.prov device.sec.TLS.prov.strictCertCommonNameValidation="0">
          <device.sec.TLS.prov.strictCertCommonNameValidation device.sec.TLS.prov.strictCertCommonNameValidation.set="1">
          </device.sec.TLS.prov.strictCertCommonNameValidation>
        </device.sec.TLS.prov>
      </device.sec.TLS>
    </device.sec>
  </device>
</polycomConfig>

 

I have confirmed by exporting the device config, that the above parameter is set correctly.

 

However I get the following error when the phone tries to pick up the sip.cfg over https :

 

000015.072|copy |4|2817|SSL_connect error Peer certificate cannot be authenticated with known CA certificates.SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

 

Unsure why this is failing, any ideas ? 

(PS. I have tried both the fqdn or the ip address over https and getting the same error).

 

Regards,

Andrei.

5 REPLIES 5
HP Recommended

Hello Andrei,

welcome to the Polycom Community.

You may want to lower the CFG, CURL and TLS logging level to get a clearer understanding of the issue at hand. In addition ensure you have a NTP time setup so the phone has a date / time it can verify against.

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
HP Recommended

Hi Steffen,

 

Have done what you requested, here is the sanitized output from the log file where [MY_PROV_SERVER] is the FQDN and xxx.xxx.xxx.xxx replaced the IP address.

 

0216142138|cfg  |1|2814|Prov|Starting to download file https://[MY_PROV_SERVER]/polycom/sip.cfg
0216142138|copy |1|2814|Provisioning:Cipher suite = ALL:!DH:!LOW:!EXP:!MD5:@STRENGTH
0216142138|copy |3|2814|'https://PlcmSpIp:****@[MY_PROV_SERVER]/polycom/sip.cfg' from '[MY_PROV_SERVER](xxx.xxx.xxx.xxx)'
0216142138|curl |3|2814|timeout on name lookup is not supported
0216142138|curl |3|2814|About to connect() to [MY_PROV_SERVER] port 443 (#1)
0216142138|curl |3|2814|  Trying xxx.xxx.xxx.xxx... 
0216142138|curl |3|2814|the local port callback returned 0
0216142138|curl |3|2814|Local port: 39827
0216142138|curl |3|2814|Connected to [MY_PROV_SERVER] (xxx.xxx.xxx.xxx) port 443 (#1)
0216142138|curl |3|2814|successfully set certificate verify locations:
0216142138|curl |3|2814|  CAfile: /ffs0/ca1.crt
  CApath: none
0216142138|curl |3|2814|SSLv3, TLS handshake, Client hello (1):
0216142138|curl |3|2814|SSLv3, TLS handshake, Server hello (2):
0216142138|curl |3|2814|SSLv3, TLS handshake, CERT (11):
0216142138|curl |3|2814|SSLv3, TLS alert, Server hello (2):
0216142138|curl |3|2814|SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
0216142138|curl |3|2814|Closing connection #1
0216142138|copy |3|2814|Download of 'polycom/sip.cfg' FAILED on attempt 1 (addr 1 of 1)
0216142138|copy |4|2814|SSL_connect error Peer certificate cannot be authenticated with known CA certificates.SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
0216142138|copy |3|2814|Update of '/ffs0/ConfigNew/sip_cfg.zzz' failed, leaving local copy intact
0216142138|copy |3|2814|Ignoring Server Certificate common Name errors
0216142138|cfg  |1|2814|Prov|File https://[MY_PROV_SERVER]/polycom/sip.cfg has not changed
0216142138|cfg  |4|2814|Prov|Some configuration files could not be obtained, reverting to previous config
0216142139|cfg  |2|2814|Prov|Starting to provision local overrides

 

Please let me know if there is anything else I can try.

 

Regards,

Andrei.

HP Recommended

 

You will need to switch your phone to provision over HTTP (at least once), so that it can retrieve the config file which disables the CA validation, then you can switch it back to HTTPS (or specify the HTTPS URL in the config file).

 

Otherwise you have a chicken and egg problem..

HP Recommended

Hi Squigley,

 

I have done that.

 

my 0000000000000.cfg is downloaded over http, here I specify the config files as device.cfg (in the root dir) and https://xxxxx/sip.cfg.

 

 

device.cfg is downloaded ok over http, and contains the following :

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Generated device.cfg Configuration File -->
<polycomConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="polycomConfig.xsd">
  <device device.set="1">
    <device.sec>
      <device.sec.TLS>
        <device.sec.TLS.prov device.sec.TLS.prov.strictCertCommonNameValidation="0">
          <device.sec.TLS.prov.strictCertCommonNameValidation device.sec.TLS.prov.strictCertCommonNameValidation.set="1">
          </device.sec.TLS.prov.strictCertCommonNameValidation>
        </device.sec.TLS.prov>
      </device.sec.TLS>
    </device.sec>
    <device.sntp device.sntp.gmtOffset="43200" device.sntp.serverName="myntpserver">
      <device.sntp.gmtOffset device.sntp.gmtOffset.set="1">
      </device.sntp.gmtOffset>
      <device.sntp.serverName device.sntp.serverName.set="1">
      </device.sntp.serverName>
    </device.sntp>
  </device>
</polycomConfig>

 

Once device.cfg is downloaded and applied, it should go to the next config file https://xxxx/sip.cfg and retreive it ok without CA validation but this doesn't seem to work as such.

HP Recommended

Hello Grudge,

Traditionally Polycom phones do not accept wildcard Certificates.

 

In order to work around this we created the strictCertCommonNameValidation Parameter which will only ignore the commonName/ SubjectAltName verification on server certificate in the SIP TLS negotiation.

 

Could you provide some details about the cert you are trying to use?


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.