So I did not find this until I tested with the certbot cert. in the Yealink’s syslog (level 3 dump), you eventually see this in the log. Looks like it does not trust the X3 cert authority from LE, but as previously shown, it still connects to the web server. Of note, it will not register in this state if you enable TLS for registration in PJSIP.
<131>Jan 16 23:18:50 lbt [1267]: BADT<3+error > Can not find adapter, please plug up.
<131>Jan 16 23:18:55 sua [1286]: NET <3+error > [255] verify error:num=20:unable to get local issuer certificate:depth=0:/CN=tpbx15.bundystl.com
<131>Jan 16 23:18:55 sua [1286]: NET <3+error > [255] X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
<131>Jan 16 23:18:55 sua [1286]: NET <3+error > [255] verify error:num=27:certificate not trusted:depth=0:/CN=tpbx15.bundystl.com
<131>Jan 16 23:18:55 sua [1286]: NET <3+error > [255] X509_V_ERR_CERT_UNTRUSTED issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
<131>Jan 16 23:18:55 sua [1286]: NET <3+error > [255] verify error:num=21:unable to verify the first certificate:depth=0:/CN=tpbx15.bundystl.com
<131>Jan 16 23:18:55 sua [1286]: NET <3+error > [255] X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
<131>Jan 16 23:18:56 sua [1286]: NET <3+error > [255] Failed to verify remote certificate
<131>Jan 16 23:18:56 GUI [1267:1267]: CUIT<3+error > 336.988.442:check passwd err
<131>Jan 16 23:18:57 GUI [1267:1303]: WIND<3+error > 337.180.857:[DCMN]Recode is 404, Request err.
<131>Jan 16 23:18:57 GUI [1267:1303]: WIND<3+error > 337.192.858:[DCMN]download common error, errcode:404.
But even this failure is not in the syslog for the certman generated certificate. Instead we get an error that the URL is empty. So obviously, something with the certificate is failing to be read, since it has no problem reading an LE cert from the X3 authority.
<131>Jan 17 13:37:49 lbt [1425]: BADT<3+error > Can not find adapter, please plug up.
<131>Jan 17 13:37:55 ATP [1438]: ATP <3+error > Get static config url is empty
Now, as mentioned, the phone pulls the config and other web related stuff but does not register. Wll let’s see if we can make it trust things. First if you disable cert checking it will register. This did not help with the certman cert though, and is not something I would ever recommend as a long term solution.
Turning that setting back on and then uploading the CA bundle into the phone made the error in the phone sys.log go away and let the phone register. Again, this made no difference to the certman cert. Only made the Certbot cert work fully.
You can load it in the config like this. I could have put it in the
tftpboot folder also, but I have that folder under version control with
git so I didn’t want a cert that changes randomly in there. Instead I symlinked it from keys, (I already have stuff in custom).
sudo -u asterisk ln -s /etc/asterisk/keys/tpbx15.bundystl.com-ca-bundle.crt /var/www/html/custom/tpbx15.bundystl.com-ca-bundle.crt
Then I setup the config file for the phone to have this.
static.trusted_certificates.url = https://tpbx15.bundystl.com/custom/tpbx15.bundystl.com-ca-bundle.crt
static.security.trust_certificates = 1
After the phone reboots and gets the cert, it willreboot again.
But then the sys.log shows this.
<131>Jan 17 00:58:53 lbt [1277]: BADT<3+error > Can not find adapter, please plug up.
<131>Jan 17 00:58:58 sua [1296]: NET <3+error > [255] depth=2:/O=Digital Signature Trust Co./CN=DST Root CA X3
<131>Jan 17 00:58:58 sua [1296]: NET <3+error > [255] depth=1:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
<131>Jan 17 00:58:58 sua [1296]: NET <3+error > [255] depth=0:/CN=tpbx15.bundystl.com
<131>Jan 17 00:58:59 GUI [1277:1315]: WIND<3+error > 339.658.335:[DCMN]Recode is 404, Request err.
<131>Jan 17 00:58:59 GUI [1277:1315]: WIND<3+error > 339.693.589:[DCMN]download common error, errcode:404.
<131>Jan 17 00:59:00 GUI [1277:1277]: CUIT<3+error > 340.061.047:check passwd err
