Plantronics + Polycom. Now together as Poly Logo

Polycom phone auto provisioning HTTP(s) doesn't work with username/password

Highlighted
Advisor

Polycom phone auto provisioning HTTP(s) doesn't work with username/password

Hi,

 

If I select HTTP or HTTPS with correct usrname and password filed filled, then phone can't retrieve .cfg file.  If I remove username and password and remove authentication from web server, then it works.  Alos, it works fine if I use FTP with correct username and password.

 

So, the question is that why HTTP/HTTPs won't work with authentication required web server with supplied un and pw?

 

thanks,

dc

Message 1 of 9
8 REPLIES 8
Highlighted
Polycom Employee & Community Manager

Re: Polycom phone auto provisioning HTTP(s) doesn't work with username/password

Hello vokocomm,

welcome back to the Polycom Community.

This is quite a broad statement but you failed to include any software version or what phone this is supposedly affecting.

 

I would suggest to activate syslog, lower the CURL and COPY log levels on the phone side and then troubleshoot the logs from the phone and the server logs.

 

A wireshark trace may also show what the issue is.

 

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

----------------
The title Polycom Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. My official "day" Job is 3rd Level support at Poly but I am unable to provide official support via the community.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 2 of 9
Highlighted
Advisor

Re: Polycom phone auto provisioning HTTP(s) doesn't work with username/password

Steffen,

 

Thanks for responding. 

 

UC software version 4.04, Polycom phone model is 335 and 550.  Neither one model works with UN/PW enabled HTTPS server requires authentication.

 

ok, I will try enable syslog to see if we can see anything.

 

thanks.

Message 3 of 9
Highlighted
Advisor

Re: Polycom phone auto provisioning HTTP(s) doesn't work with username/password

Stefften,

 

Here is reboot time syslog (Facility=23, Level=Debug) from phone model 550, UC version 4.0.4.  I have valid file on server 0004f2ffffff.cfg and 0004f2ffffff-phone.cfg  Can you tell why this phone doesn't go to retrieve those .cfg files?

 

thanks,


dc

 

Jan 15 07:14:51 Polycom_0004f2ffffff 0115071451|app1 |*|03|Manual Reboot
Jan 15 07:14:51 Polycom_0004f2ffffff 0115071451|so   |*|03|SoNcasC::procMsg: Client service shutdown complete
Jan 15 07:14:51 Polycom_0004f2ffffff 0115071451|wdog |*|03|Watchdog Expired: tSupObjs
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.908|cfg  |*|03|RT|Do not do DHCP VLAN Discovery.
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.910|cfg  |*|03|RT|   Phone IP address is 192.168.1.17.
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.910|cfg  |*|03|RT|   Subnet mask is 255.255.255.0.
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.910|cfg  |*|03|RT|   Gateway address is 192.168.1.1.
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.910|cfg  |*|03|RT|   DNS server is 192.168.1.1.
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.910|cfg  |*|03|RT|   DNS alternate server is 68.238.96.112.
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.910|cfg  |*|03|RT|   DNS domain is home.
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.910|cfg  |*|03|RT|   GMT offset is 0 seconds.
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.912|dns  |*|03|DNS resolver servers are '192.168.1.1' '68.238.96.112'
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.912|dns  |*|03|DNS resolver search domain is 'home'
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.914|cfg  |*|03|RT|Primary IP changed to 192.168.1.17 subnet mask 255.255.255.0
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.916|cfg  |*|03|RT|cfgRtNetInterfaceUpdate: bfeng -- calling network status callback
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.916|cfg  |*|03|RT|cfgRtNetInterfaceUpdate: bfeng -- calling network status callback
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.924|sys  |*|03|0x957f7580 (tDhcpcStateTask): arp_check: No reply, addr not used
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.934|so   |*|03|Network initialized. Starting network tasks.
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.936|log  |*|03|Install file upload callback for 'so'
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.950|cfg  |5|03|Prm|Parameter reg.x.outboundProxy.port requested type 0 but is of type 2
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.952|cfg  |5|03|Prm|Parameter acd.reg requested type 0 but is of type 2
Jan 15 07:06:47 Polycom_0004f2ffffff 000028.976|app1 |*|03|Ctx [0] Registered [false]
Jan 15 07:06:47 Polycom_0004f2ffffff 000029.054|sip  |*|03|Fast Boot Measurement Point: Ready for Call, uptime: 29.054 sec.
Jan 15 07:06:47 Polycom_0004f2ffffff 000029.234|sip  |4|03|Registration failed User: 42000103, Error Code:403 Forbidden
Jan 15 07:06:49 Polycom_0004f2ffffff 000031.140|cfg  |4|03|Prov|Download of master configuration file failed
Jan 15 07:06:49 Polycom_0004f2ffffff 000031.140|cfg  |4|03|Prov|Trying to boot from existing configuration
Jan 15 07:06:49 Polycom_0004f2ffffff 000031.154|cfg  |4|03|Prov|Not setting device parameters since configuration was not updated.
Jan 15 07:06:49 Polycom_0004f2ffffff 000031.154|cfg  |*|03|Prov|Finished updating configuration
Jan 15 07:06:49 Polycom_0004f2ffffff 000031.754|res  |4|03|[ResFinderC]: Download - Failed to download file Leaf.jpg, errno 0x380003.
Jan 15 07:06:49 Polycom_0004f2ffffff 000031.756|app1 |4|03|Background processing failed: (Leaf.jpg): (pResult->m_result != ResFinderFound): 1.
Jan 15 07:06:49 Polycom_0004f2ffffff 000031.862|log  |4|03|UtilLogC::uploadFifoLog: upload error. protocol 0 result = -1
Jan 15 07:06:50 Polycom_0004f2ffffff 000031.866|log  |4|03|Failed to upload boot log on start up.
Jan 15 07:06:50 Polycom_0004f2ffffff 000032.546|log  |4|03|UtilLogC::uploadFifoLog: upload error. protocol 0 result = -1
Jan 15 07:15:51 Polycom_0004f2ffffff 0115071551|res  |4|03|[ResFinderC]: Download - Failed to download file Sailboat.jpg, errno 0x380003.
Jan 15 07:15:51 Polycom_0004f2ffffff 0115071551|app1 |4|03|Background processing failed: (Sailboat.jpg): (pResult->m_result != ResFinderFound): 1.
Jan 15 07:15:52 Polycom_0004f2ffffff 0115071552|res  |4|03|[ResFinderC]: Download - Failed to download file Beach.jpg, errno 0x380003.
Jan 15 07:15:52 Polycom_0004f2ffffff 0115071552|app1 |4|03|Background processing failed: (Beach.jpg): (pResult->m_result != ResFinderFound): 1.
Jan 15 07:15:53 Polycom_0004f2ffffff 0115071553|res  |4|03|[ResFinderC]: Download - Failed to download file Palm.jpg, errno 0x380003.
Jan 15 07:15:53 Polycom_0004f2ffffff 0115071553|app1 |4|03|Background processing failed: (Palm.jpg): (pResult->m_result != ResFinderFound): 1.
Jan 15 07:15:53 Polycom_0004f2ffffff 0115071553|res  |4|03|[ResFinderC]: Download - Failed to download file Jellyfish.jpg, errno 0x380003.
Jan 15 07:15:53 Polycom_0004f2ffffff 0115071553|app1 |4|03|Background processing failed: (Jellyfish.jpg): (pResult->m_result != ResFinderFound): 1.
Jan 15 07:15:54 Polycom_0004f2ffffff 0115071554|res  |4|03|[ResFinderC]: Download - Failed to download file Mountain.jpg, errno 0x380003.
Jan 15 07:15:54 Polycom_0004f2ffffff 0115071554|app1 |4|03|Background processing failed: (Mountain.jpg): (pResult->m_result != ResFinderFound): 1.

 



Message 4 of 9
Highlighted
Advisor

Re: Polycom phone auto provisioning HTTP(s) doesn't work with username/password

Hi,

 

I did find the issue why it doesn't pull down cfg file after increase CURL and COPY and CFG debug level.

 

Since I set for HTTPS, it complians certificate on our server doesn't match up with server domain I put in provisioning path.  I used alias for that certificate issued name, it doesn't like it.  It has to be the server name that certificate issued for.

 

Now question, can I igore certificate validation?

thanks,

dc

Message 5 of 9
Highlighted
Valued Contributor

Re: Polycom phone auto provisioning HTTP(s) doesn't work with username/password

Hello vokocomm,

 

There's a document here which may help you to understand and implement the certificates:

 

http://support.polycom.com/global/documents/support/technical/products/voice/Device_Certificates_on_...

 

The way SSL certificates work in general is that they must match the server name, and aliases won't work. You'll probably either need to get a certificate to match the server name, or obtain a wildcard certificate, and then you can have a virtualhost running on the same machine (using a different/additional IP address).

 

It is possible to use the same IP with multiple SSL virtualhosts, however this is complicated, requires SNI, and I'm not sure if Polycom phones support SNI, see here:

 

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

 

Regards,

Simon

Message 6 of 9
Highlighted
Advisor

Re: Polycom phone auto provisioning HTTP(s) doesn't work with username/password

Simon,

 

Thanks for your respond.  What you just pointed out was about certificate on the phone device itself.

 

What I try to ask was that have phone talk to our HTTPS web server to pull configuration file.  We entered web server name in auto provisioning configuration path field, but if serve hostname doesn't match with certificate name, provisioning connection will fail.  I don't know if there is a way to ask Polycom phone to igore certificate validation error and go ahead pull configuration file anyway.

 

thanks

 

dc

Message 7 of 9
Highlighted
Polycom Employee & Community Manager

Re: Polycom phone auto provisioning HTTP(s) doesn't work with username/password

Hello vokocomm,

The original titel of the topic states " doesn't work with username/password"

 

A username / password is irrelevant as HTTPS utilizes SSL/TLS via a certificate.

 

  • If the phone is in a factory state and does not have your certificate it will not be able to connect to the HTTPS server.

  • If the phone has been pre-configured with a certificate it will be able to communicate with the HTTPS server as long as the FQDN name or the IP address within the certificates defined common name matches the real details.

    Polycom does not support Wildcard certificates i.e. *.something.com
    We do however honor the SAN (Subject Alternative Name) field which can be used to enter multiple hostnames or IP addresses on the same certificate

You could in addition test this:

 

device.set="1"
device.sec.TLS.prov.strictCertCommonNameValidation.set="1"
device.sec.TLS.prov.strictCertCommonNameValidation="0"

Quote from the Admin Guide:

 

If set to 1, provisioning always verifies the server certificate for commonName/SubjectAltName match with the server hostname that the phone is trying to connect.


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

----------------
The title Polycom Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. My official "day" Job is 3rd Level support at Poly but I am unable to provide official support via the community.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 8 of 9
Highlighted
Occasional Visitor

Re: Polycom phone auto provisioning HTTP(s) doesn't work with username/password

I'm going to resurrect this one and point out the catch 22 here on that last comment.

 

If the device cannot connect to the provisioning server to download its configuration file via HTTPS, then you're going to have a bit of a problem changing the configuration via a config file if you can only serve it via HTTPS.

Message 9 of 9