cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24982
Views
20
Helpful
17
Replies

Issue with MRA Cisco IP Phones 7800/8800

Hello all,

I have deployed Expressway C-E (8.9) with CUCM 11.5. and I'm trying to register one 8841 from Internet using MRA feature and when I try to do the login process in the ip phone, appear:

"Error: Server certificate validation failed. Contact your administrator" and in the Status messages "Invalid server certificate: expe.domain.com"

Trying to find info about this problem I found

"For Mobile and Remote Access through Expressway, the Expressway server must be signed against one of these Certificate Authorities"

in this doc:

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/dx/series/ca/CA-Trust-List.docx

I suppose the error appear because our Internal CA is not trusted.

Any way to register a 8800/7800 Phone through MRA feature without a signed certs by this Authorities? Usually we manage Internal CAs.

Thank so much!

1 Accepted Solution

Accepted Solutions

Jaime Valencia
Cisco Employee
Cisco Employee

No, if you want to use IP phones over MRA, it's MANDATORY to use a public CA from the ones listed.

HTH

java

if this helps, please rate

View solution in original post

17 Replies 17

Jaime Valencia
Cisco Employee
Cisco Employee

No, if you want to use IP phones over MRA, it's MANDATORY to use a public CA from the ones listed.

HTH

java

if this helps, please rate

Chris, Jaime...Thanks so much for clarify my doubt !!

So I have public CA certs from DigiCert for my Exp-E, which looks to be on the approved CA list, but I'm still getting the "Server certificate validation failed".  I have MRA working fine with all my Jabber clients.  Trying to get an 8845 to register via MRA.  Any idea's?

Have you compared the fingerprint of your cert against the one listed here?

http://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-phone-8800-series/products-technical-reference-list.html

HTH

java

if this helps, please rate

We have the same issue, and the certificate sha1 signature matches, however the phones do not have the sha 256 signature in their trusted list.  Anyone have thoughts on how to resolve this issue?

Update on my issue: fixed

TAC was able to pinpoint that it was a device that sits between the VCS-E and the Internet, interjecting our wildcard certificate instead of the correct VCS-E.  In a browser he connected to the external VCS-E A record ex. "https://expresswaye.yourdomain.com:8443" and saw the incorrect Cert being presented, as well as Packet Captures confirming this.

Once we removed it worked fine.  Not sure why Jabber worked and not the 8845 phone, not for me to figure out!

Hey Jamie et. al.

Is it still the case that IP Phones won't register over MRA if the systems are using self-signed certs?

IP Phones have the fingerprint/root certs embedded in the firmware already. These cannot be uploaded to the phone manually. You need to ensure that the Expressway-E identity certificate is signed by one of these public CA's only.

 

From the Mobile and Remote Access Through Cisco Expressway Deployment Guide X12.5

"You cannot modify the root CA trust list on IP Phone 7800/8800 devices. Make sure that the Expressway-E's server certificate is signed by one of the CAs that the devices trust, and that the CA is trusted by the Expressway-C and the Expressway-E. "

 

Does anyone know if this list of Trusted CAs (dated 2015, Firmware 11.0) has been updated and where it can be found? With the Availability of X12.5 and ACME/Let's Encrypt for MRA this is desperately needed.

 

Thanks

/David

Hi @d.haeni,

 

were you able to answer this question or do you even tried it?
Because I have the same question now and cannot find some helpful or updated info.

 

thanks,

markus

Sorry @MSchwarzmann, neither was I able to get an an answer to my question nor did I test MRA with LetsEncrypt with these phones.
I'm still interested if you have new findings, though.

Thx

/David

Same here, the document is 4 years old. Is there an updated list?

Do I need on both servers expressway-E and expressway-C a certificate from a public CA or only on expressway-E?

Thanks

Michael

Only Expressway-E.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: