cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1277
Views
0
Helpful
4
Replies

Custom Phone XML Service on CUCM 11.5 fails SSL handshake if Let's Encrypt certificate used

jgieske
Cisco Employee
Cisco Employee

I have a custom Phone XML Service running on Dockerized container.  I configured the server to use HTTPS along with a certificate signed by a common CA.  Uploaded the cert chain to my CUCM 11.5, rebooted the CUCM and my 8865 phone.  I open my XML service on my phone, and everything works as expected.

 

Now I change just the certificate to a new one signed by Let's Encrypt.  Uploaded the cert chain to my CUCM 11.5, rebooted the CUCM and my 8865 phone. I open my XML service, and I immediately get "Host not found":

 

5982 NOT Oct 12 13:35:30.993126 (337:1255) SECUREAPP-VALIDATE_CERT - Certificate issuer = C=US;O=Let's Encrypt;CN=Let's Encrypt Authority X3
5983 ERR Oct 12 13:35:30.993178 (337:1255) SECUREAPP-No match found in trust list against the item
5984 NOT Oct 12 13:35:32.252737 (337:974) SECUREAPP-Sec SSL Connection - Handshake successful.
5985 NOT Oct 12 13:35:32.253294 (337:974) SECUREAPP-TVS process request - Successfully sent the TVS request to TVS server, bytes written : 1417
5986 WRN Oct 12 13:35:32.315885 (337:974) SECUREAPP-TVS cache ttl value missing from resp data - setting to default
5987 NOT Oct 12 13:35:32.316549 (337:974) SECUREAPP-Sec SSL Close Connection successful.
5988 ERR Oct 12 13:35:32.754614 (337:1255) SECUREAPP-TVS Cert Validation - provider returned NULL response
5989 ERR Oct 12 13:35:32.754668 (337:1255) SECUREAPP-Failed to validate cert using TVS
5990 INF Oct 12 13:35:32.796201 (452:639) JAVA-SSL session setup Cert Verification - Certificate validation helper plugin returned.
5991 ERR Oct 12 13:35:32.796250 (452:639) JAVA-SSL session setup Cert Verification - Certificate is invalid.
5992 DEB Oct 12 13:35:32.796269 (452:639) JAVA-SSL session setup Cert Verification - returning validation result = 0
5993 ERR Oct 12 13:35:32.796732 (452:639) JAVA-Sec SSL Connection - Handshake failed.

The new cert chain looks like this:

  • DST Root CA X3
    • Let's Encrypt Authority X3
      • my.server

I've installed all of these certificates as "tomcat-trust" in CUCM OS Administration -> Security -> Certificate Management -> Upload Certificate, just like I did for the other CA's cert chain.  The only thing I can think of is possibly CUCM (11.5.1.10000-6) is getting confused by the presence of the apostrophe in the certificate Issuer's CN? 

 

Has anyone else been able to use Let's Encrypt with a Phone XML Service?

4 Replies 4

I think the problem is that your phones does not have the Let’s Encrypt public CA in their trust store for CAs. AFAIK there is no way to modify this on the phones as this comes pre-populated by Cisco in the firmware. You need to make sure you use a CA for your certificate(s) that are in the list on your phones.

There is also the possibly that you don’t have the CA certificate that is used to the cross sign the Let’s Encrypt CA certificates. I don’t remember exactly what CA is used for this, but check out the documentation for use of ACME service for certificate handling on Expressway, it’s mentioned in that.



Response Signature


jgieske
Cisco Employee
Cisco Employee

Roger,

 

Thanks for your reply.  Shouldn't TVS be able to validate the certificate, based upon what you've uploaded to the Certificate Management UI?  That's sort of the whole point of Trust Validation Service, right?

 

Thanks for the tip about cross signed certificates, I hadn't noticed.  When I tried to inspect the "Let's Encrypt Authority X3" intermediate CA cert, I found the Certificate Management UI could not open it (no popup window appears when I click on it), so that is definitely a bug.  In fact, I tried to upload both "Let's Encrypt Authority X3" (signed by DST), and "Let's Encrypt Authority X3" (signed by ISRG) using the Certificate Management UI, and found that it only allows you to upload one (because both certs have the same DN).  I assume either ought to work though, right?

 

Sadly, after rebooting CUCM and my phones, it did not help solve the "host not found" error when launching my IP phone service.  Given the wonky UI behavior, I suspect my use-case might not be supported on this version of CUCM.

 

Can someone with a newer CUCM just try uploading these two certs and see if the UI behaves the same as I described?

From https://letsencrypt.org/certificates/:

Let’s Encrypt Authority X3 (RSA 2048, O = Let's Encrypt, CN = Let's Encrypt Authority X3)

Signed by ISRG Root X1: der, pem, txt

Cross-signed by IdenTrust: der, pem, txt

These are the certs that I ended up needing for the ACME service on Expressway. Possibly might be of some help to you.



Response Signature


Screen shot from the Expressway.

image.png



Response Signature