Yes, they will, the Expressway E was designed around an ACME cert and Let's Encrypt is super free.
Anyway, I think the issue is between the Expressway and CUCM at this point... escalating to TAc... Jonathan On Thu, Nov 11, 2021 at 4:49 PM Brian V <bvanb...@gmail.com> wrote: > WIll the phones trust a LetsEncrypt cert ? > Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root CA > certs on a regular basis > The trusted certs in the phone have to be placed there in the software by > Cisco. > This might be a situation where newer code on a phone is required if the > trusted Root CA (or chain) for Lets Encrypt is missing on the phone. > > On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff <mh...@ox.com> wrote: > >> I wouldn’t put a lot of weight in the status on the phone with the TLS >> error, I’ve seen that with working phones. Do you have the phone MRA domain >> set? We have a separate device pool for MRA devices so it can set the time >> from external ntp sources. If the time on the phone is off, the crypto >> can fail as well. >> >> >> >> *Matthew Huff* | Director of Technical Operations | OTA Management LLC >> >> >> >> *Office: 914-460-4039* >> >> *mh...@ox.com <mh...@ox.com> | **www.ox.com <http://www.ox.com>* >> >> >> *...........................................................................................................................................* >> >> >> >> *From:* Jonathan Charles <jonv...@gmail.com> >> *Sent:* Thursday, November 11, 2021 11:50 AM >> *To:* Matthew Huff <mh...@ox.com> >> *Cc:* Brian Meade <bmead...@vt.edu>; cisco-voip voyp list < >> cisco-voip@puck.nether.net> >> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone >> trust list? >> >> >> >> It is running 12.8... it has been locally reg'd before... >> >> >> >> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mh...@ox.com> wrote: >> >> In the lab, have you tried setting up the phone without MRA and get the >> firmware uploaded first? Depending on how old the firmware is, you may have >> issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5. >> >> >> >> *Matthew Huff* | Director of Technical Operations | OTA Management LLC >> >> >> >> *Office: 914-460-4039* >> >> *mh...@ox.com <mh...@ox.com> | **www.ox.com <http://www.ox.com>* >> >> >> *...........................................................................................................................................* >> >> >> >> *From:* cisco-voip <cisco-voip-boun...@puck.nether.net> *On Behalf Of >> *Jonathan >> Charles >> *Sent:* Thursday, November 11, 2021 11:10 AM >> *To:* Brian Meade <bmead...@vt.edu> >> *Cc:* cisco-voip voyp list <cisco-voip@puck.nether.net> >> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone >> trust list? >> >> >> >> On the phone, we see TLS connection failed... the E's cert is signed by >> Let's Encrypt... >> >> >> >> On the Expressway E we see some certificate exchange and then resets in >> the connection... >> >> >> >> MRA works fine for Jabber.... just 8845 Activation Code onboarding is >> failing... >> >> >> >> >> >> Jonathan >> >> >> >> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmead...@vt.edu> wrote: >> >> What's the console logs show? >> >> >> >> The Expressway needs to be signed by one of the trusted CAs listed that >> are part of the phone firmware. >> >> >> >> The Expressway cert authenticates the phone with the MIC. >> >> >> >> Do you have activation code onboarding enabled under the MRA config on >> the Expressway-C? >> >> >> >> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonv...@gmail.com> wrote: >> >> So, I set up activation code MRA for an 8845 (lab first)... >> >> >> >> Cloud onboarding worked, got an activation code, tried it out... >> >> >> >> Phone kicks back 'check internet connectivtity' and on the status on the >> phone says: >> >> >> >> GDS Handshake Succeeded >> >> A TLS connection failed... >> >> >> >> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like >> the TLS connection the expressway, but I don't see anything in the >> Expressway logs... >> >> >> >> There is a bug and it says we need to load a Hydrant cert back into the >> trust store... >> >> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred >> >> >> >> But where do we need to load it? Tomcat Trust? On the Expressways? The >> bug doesn't say... it needs to be pushed to the phone's trust list, how do >> you do that? >> >> >> >> >> >> Thanks! >> >> >> >> Jonathan >> >> _______________________________________________ >> cisco-voip mailing list >> cisco-voip@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-voip >> >> _______________________________________________ >> cisco-voip mailing list >> cisco-voip@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-voip >> >
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip