Solved: VVX-250 rejecting CA certificate chain

Unk0wn1 · ‎06-24-2020

Hello;

I have VVX phones (purchased through a**zon.com, so not supported)

My VIOP Provider is using metaswitch, and when I purchased and set up these phones, ZTP worked fine and I could update configurations and Provision new phones. Sometime in May, ZTP started failing because my phones were rejecting the CA cert or chain.

here is a snip of the log from my phone, can anyone make sense of this: [SCRUBBED DATA in Brackets]

0624143042|curl |3|00|Connected to [myprovider.tftpserver.com] ([XXX.XXX.XXX.XXX]) port 443 (#0)
0624143042|curl |3|00|successfully set certificate verify locations:
0624143042|curl |3|00| CAfile: /ffs0/ca1.crt
CApath: none
0624143042|curl |3|00|SSLv3, TLS Unknown, Unknown (22):
0624143042|curl |0|00|SSL DATA_OUT: Data of len 5 not displayed
0624143042|curl |3|00|SSLv3, TLS handshake, Client hello (1):
0624143042|curl |0|00|SSL DATA_OUT: Data of len 212 not displayed
0624143042|curl |3|00|SSLv2, Unknown (22):
0624143042|curl |0|00|SSL DATA_IN: Data of len 5 not displayed
0624143042|curl |3|00|SSLv3, TLS handshake, Server hello (2):
0624143042|curl |0|00|SSL DATA_IN: Data of len 66 not displayed
0624143042|curl |3|00|SSLv2, Unknown (22):
0624143042|curl |0|00|SSL DATA_IN: Data of len 5 not displayed
0624143042|curl |3|00|SSLv3, TLS handshake, CERT (11):
0624143042|curl |0|00|SSL DATA_IN: Data of len 4779 not displayed
0624143042|curl |3|00|SSLv2, Unknown (21):
0624143042|curl |0|00|SSL DATA_OUT: Data of len 5 not displayed
0624143042|curl |3|00|SSLv3, TLS alert, Server hello (2):
0624143042|curl |0|00|SSL DATA_OUT: Data of len 2 not displayed
0624143042|curl |3|00|SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

SteffenBaierUK · ‎06-25-2020

Hello @Unk0wn1 ,

Your post ended up in the Spam Filter so I moved this here. Please ensure to use Code Tags when posting logs as explained >here<

In addition, as explained >here<:

In order to raise a support ticket, you need to work with your Poly reseller as they may need to do this for you.

End Customers are usually unable to open a ticket directly with Poly support. Available End User Poly services offerings are detailed here

If this is some sort of an Internet discounter providing your MAC address or your Poly devices serial will enable us to look up who would be able to support you. This may not be who you purchased the Poly device from.

The shared logs and the levels used do not show much information but historically the only certificate that expired in May 2020 was the built-in AddTrust/Sectigo.

We discussed this >here< and >here< and >here<

I have attached a configuration that you can download, unzip and import via the Web Interface Utilities > Import & Export Configuration > Import Configuration

Best Regards

Steffen Baier

----------------

If official support is required please check how to phone or open a case here

----------------
The title Poly Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓SIGNATURE ⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓
Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
Please also ensure you always check the VoIP , Video Endpoint , Microsoft Voice , PSTN or other FAQ's in the different sections

View solution in original post

SteffenBaierUK · ‎06-25-2020

Hello @Unk0wn1 ,

Your post ended up in the Spam Filter so I moved this here. Please ensure to use Code Tags when posting logs as explained >here<

In addition, as explained >here<:

In order to raise a support ticket, you need to work with your Poly reseller as they may need to do this for you.

End Customers are usually unable to open a ticket directly with Poly support. Available End User Poly services offerings are detailed here

If this is some sort of an Internet discounter providing your MAC address or your Poly devices serial will enable us to look up who would be able to support you. This may not be who you purchased the Poly device from.

The shared logs and the levels used do not show much information but historically the only certificate that expired in May 2020 was the built-in AddTrust/Sectigo.

We discussed this >here< and >here< and >here<

I have attached a configuration that you can download, unzip and import via the Web Interface Utilities > Import & Export Configuration > Import Configuration

Best Regards

Steffen Baier

----------------

If official support is required please check how to phone or open a case here

----------------
The title Poly Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓SIGNATURE ⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓⇓
Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
Please also ensure you always check the VoIP , Video Endpoint , Microsoft Voice , PSTN or other FAQ's in the different sections

VVX-250 rejecting CA certificate chain

VVX-250 rejecting CA certificate chain

Re: VVX-250 rejecting CA certificate chain

Re: VVX-250 rejecting CA certificate chain