I have deployed Expressway C-E (8.9) with CUCM 11.5. and I'm trying to register one 8841 from Internet using MRA feature and when I try to do the login process in the ip phone, appear:
"Error: Server certificate validation failed. Contact your administrator" and in the Status messages "Invalid server certificate: expe.domain.com"
Trying to find info about this problem I found
"For Mobile and Remote Access through Expressway, the Expressway server must be signed against one of these Certificate Authorities"
in this doc:
I suppose the error appear because our Internal CA is not trusted.
Any way to register a 8800/7800 Phone through MRA feature without a signed certs by this Authorities? Usually we manage Internal CAs.
Thank so much!
Solved! Go to Solution.
So I have public CA certs from DigiCert for my Exp-E, which looks to be on the approved CA list, but I'm still getting the "Server certificate validation failed". I have MRA working fine with all my Jabber clients. Trying to get an 8845 to register via MRA. Any idea's?
Have you compared the fingerprint of your cert against the one listed here?
We have the same issue, and the certificate sha1 signature matches, however the phones do not have the sha 256 signature in their trusted list. Anyone have thoughts on how to resolve this issue?
Update on my issue: fixed
TAC was able to pinpoint that it was a device that sits between the VCS-E and the Internet, interjecting our wildcard certificate instead of the correct VCS-E. In a browser he connected to the external VCS-E A record ex. "https://expresswaye.yourdomain.com:8443" and saw the incorrect Cert being presented, as well as Packet Captures confirming this.
Once we removed it worked fine. Not sure why Jabber worked and not the 8845 phone, not for me to figure out!
"You cannot modify the root CA trust list on IP Phone 7800/8800 devices. Make sure that the Expressway-E's server certificate is signed by one of the CAs that the devices trust, and that the CA is trusted by the Expressway-C and the Expressway-E. "
Does anyone know if this list of Trusted CAs (dated 2015, Firmware 11.0) has been updated and where it can be found? With the Availability of X12.5 and ACME/Let's Encrypt for MRA this is desperately needed.
were you able to answer this question or do you even tried it?
Because I have the same question now and cannot find some helpful or updated info.
Sorry @MSchwarzmann, neither was I able to get an an answer to my question nor did I test MRA with LetsEncrypt with these phones.
I'm still interested if you have new findings, though.
Jamie is correct, the cert on the Expressway-E needs to be publicly signed, your Expressway-C and CUCM, IMP, CUC can run internally signed certs.