Mailing List Archive

MRA Onboarding via activation code... phone trust list?
So, I set up activation code MRA for an 8845 (lab first)...

Cloud onboarding worked, got an activation code, tried it out...

Phone kicks back 'check internet connectivtity' and on the status on the
phone says:

GDS Handshake Succeeded
A TLS connection failed...

GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like the
TLS connection the expressway, but I don't see anything in the Expressway
logs...

There is a bug and it says we need to load a Hydrant cert back into the
trust store...
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred

But where do we need to load it? Tomcat Trust? On the Expressways? The bug
doesn't say... it needs to be pushed to the phone's trust list, how do you
do that?


Thanks!

Jonathan
Re: MRA Onboarding via activation code... phone trust list? [ In reply to ]
What's the console logs show?

The Expressway needs to be signed by one of the trusted CAs listed that are
part of the phone firmware.

The Expressway cert authenticates the phone with the MIC.

Do you have activation code onboarding enabled under the MRA config on the
Expressway-C?

On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip@gmail.com> wrote:

> So, I set up activation code MRA for an 8845 (lab first)...
>
> Cloud onboarding worked, got an activation code, tried it out...
>
> Phone kicks back 'check internet connectivtity' and on the status on the
> phone says:
>
> GDS Handshake Succeeded
> A TLS connection failed...
>
> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like
> the TLS connection the expressway, but I don't see anything in the
> Expressway logs...
>
> There is a bug and it says we need to load a Hydrant cert back into the
> trust store...
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>
> But where do we need to load it? Tomcat Trust? On the Expressways? The bug
> doesn't say... it needs to be pushed to the phone's trust list, how do you
> do that?
>
>
> Thanks!
>
> Jonathan
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
Re: MRA Onboarding via activation code... phone trust list? [ In reply to ]
On the phone, we see TLS connection failed... the E's cert is signed by
Let's Encrypt...

On the Expressway E we see some certificate exchange and then resets in the
connection...

MRA works fine for Jabber.... just 8845 Activation Code onboarding is
failing...


Jonathan

On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90@vt.edu> wrote:

> What's the console logs show?
>
> The Expressway needs to be signed by one of the trusted CAs listed that
> are part of the phone firmware.
>
> The Expressway cert authenticates the phone with the MIC.
>
> Do you have activation code onboarding enabled under the MRA config on the
> Expressway-C?
>
> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip@gmail.com> wrote:
>
>> So, I set up activation code MRA for an 8845 (lab first)...
>>
>> Cloud onboarding worked, got an activation code, tried it out...
>>
>> Phone kicks back 'check internet connectivtity' and on the status on the
>> phone says:
>>
>> GDS Handshake Succeeded
>> A TLS connection failed...
>>
>> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like
>> the TLS connection the expressway, but I don't see anything in the
>> Expressway logs...
>>
>> There is a bug and it says we need to load a Hydrant cert back into the
>> trust store...
>> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>>
>> But where do we need to load it? Tomcat Trust? On the Expressways? The
>> bug doesn't say... it needs to be pushed to the phone's trust list, how do
>> you do that?
>>
>>
>> Thanks!
>>
>> Jonathan
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
Re: MRA Onboarding via activation code... phone trust list? [ In reply to ]
In the lab, have you tried setting up the phone without MRA and get the firmware uploaded first? Depending on how old the firmware is, you may have issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.

Matthew Huff | Director of Technical Operations | OTA Management LLC

Office: 914-460-4039
mhuff@ox.com<mailto:mhuff@ox.com> | www.ox.com<http://www.ox.com>
...........................................................................................................................................

From: cisco-voip <cisco-voip-bounces@puck.nether.net> On Behalf Of Jonathan Charles
Sent: Thursday, November 11, 2021 11:10 AM
To: Brian Meade <bmeade90@vt.edu>
Cc: cisco-voip voyp list <cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

On the phone, we see TLS connection failed... the E's cert is signed by Let's Encrypt...

On the Expressway E we see some certificate exchange and then resets in the connection...

MRA works fine for Jabber.... just 8845 Activation Code onboarding is failing...


Jonathan

On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90@vt.edu<mailto:bmeade90@vt.edu>> wrote:
What's the console logs show?

The Expressway needs to be signed by one of the trusted CAs listed that are part of the phone firmware.

The Expressway cert authenticates the phone with the MIC.

Do you have activation code onboarding enabled under the MRA config on the Expressway-C?

On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip@gmail.com<mailto:jonvoip@gmail.com>> wrote:
So, I set up activation code MRA for an 8845 (lab first)...

Cloud onboarding worked, got an activation code, tried it out...

Phone kicks back 'check internet connectivtity' and on the status on the phone says:

GDS Handshake Succeeded
A TLS connection failed...

GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like the TLS connection the expressway, but I don't see anything in the Expressway logs...

There is a bug and it says we need to load a Hydrant cert back into the trust store...
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred

But where do we need to load it? Tomcat Trust? On the Expressways? The bug doesn't say... it needs to be pushed to the phone's trust list, how do you do that?


Thanks!

Jonathan
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
Re: MRA Onboarding via activation code... phone trust list? [ In reply to ]
It is running 12.8... it has been locally reg'd before...

On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mhuff@ox.com> wrote:

> In the lab, have you tried setting up the phone without MRA and get the
> firmware uploaded first? Depending on how old the firmware is, you may have
> issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>
>
>
> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>
>
>
> *Office: 914-460-4039*
>
> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>
>
> *...........................................................................................................................................*
>
>
>
> *From:* cisco-voip <cisco-voip-bounces@puck.nether.net> *On Behalf Of *Jonathan
> Charles
> *Sent:* Thursday, November 11, 2021 11:10 AM
> *To:* Brian Meade <bmeade90@vt.edu>
> *Cc:* cisco-voip voyp list <cisco-voip@puck.nether.net>
> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
> trust list?
>
>
>
> On the phone, we see TLS connection failed... the E's cert is signed by
> Let's Encrypt...
>
>
>
> On the Expressway E we see some certificate exchange and then resets in
> the connection...
>
>
>
> MRA works fine for Jabber.... just 8845 Activation Code onboarding is
> failing...
>
>
>
>
>
> Jonathan
>
>
>
> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90@vt.edu> wrote:
>
> What's the console logs show?
>
>
>
> The Expressway needs to be signed by one of the trusted CAs listed that
> are part of the phone firmware.
>
>
>
> The Expressway cert authenticates the phone with the MIC.
>
>
>
> Do you have activation code onboarding enabled under the MRA config on the
> Expressway-C?
>
>
>
> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip@gmail.com> wrote:
>
> So, I set up activation code MRA for an 8845 (lab first)...
>
>
>
> Cloud onboarding worked, got an activation code, tried it out...
>
>
>
> Phone kicks back 'check internet connectivtity' and on the status on the
> phone says:
>
>
>
> GDS Handshake Succeeded
>
> A TLS connection failed...
>
>
>
> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like
> the TLS connection the expressway, but I don't see anything in the
> Expressway logs...
>
>
>
> There is a bug and it says we need to load a Hydrant cert back into the
> trust store...
>
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>
>
>
> But where do we need to load it? Tomcat Trust? On the Expressways? The bug
> doesn't say... it needs to be pushed to the phone's trust list, how do you
> do that?
>
>
>
>
>
> Thanks!
>
>
>
> Jonathan
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
Re: MRA Onboarding via activation code... phone trust list? [ In reply to ]
I wouldn’t put a lot of weight in the status on the phone with the TLS error, I’ve seen that with working phones. Do you have the phone MRA domain set? We have a separate device pool for MRA devices so it can set the time from external ntp sources. If the time on the phone is off, the crypto can fail as well.

Matthew Huff | Director of Technical Operations | OTA Management LLC

Office: 914-460-4039
mhuff@ox.com<mailto:mhuff@ox.com> | www.ox.com<http://www.ox.com>
...........................................................................................................................................

From: Jonathan Charles <jonvoip@gmail.com>
Sent: Thursday, November 11, 2021 11:50 AM
To: Matthew Huff <mhuff@ox.com>
Cc: Brian Meade <bmeade90@vt.edu>; cisco-voip voyp list <cisco-voip@puck.nether.net>
Subject: Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

It is running 12.8... it has been locally reg'd before...

On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mhuff@ox.com<mailto:mhuff@ox.com>> wrote:
In the lab, have you tried setting up the phone without MRA and get the firmware uploaded first? Depending on how old the firmware is, you may have issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.

Matthew Huff | Director of Technical Operations | OTA Management LLC

Office: 914-460-4039
mhuff@ox.com<mailto:mhuff@ox.com> | www.ox.com<http://www.ox.com>
...........................................................................................................................................

From: cisco-voip <cisco-voip-bounces@puck.nether.net<mailto:cisco-voip-bounces@puck.nether.net>> On Behalf Of Jonathan Charles
Sent: Thursday, November 11, 2021 11:10 AM
To: Brian Meade <bmeade90@vt.edu<mailto:bmeade90@vt.edu>>
Cc: cisco-voip voyp list <cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

On the phone, we see TLS connection failed... the E's cert is signed by Let's Encrypt...

On the Expressway E we see some certificate exchange and then resets in the connection...

MRA works fine for Jabber.... just 8845 Activation Code onboarding is failing...


Jonathan

On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90@vt.edu<mailto:bmeade90@vt.edu>> wrote:
What's the console logs show?

The Expressway needs to be signed by one of the trusted CAs listed that are part of the phone firmware.

The Expressway cert authenticates the phone with the MIC.

Do you have activation code onboarding enabled under the MRA config on the Expressway-C?

On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip@gmail.com<mailto:jonvoip@gmail.com>> wrote:
So, I set up activation code MRA for an 8845 (lab first)...

Cloud onboarding worked, got an activation code, tried it out...

Phone kicks back 'check internet connectivtity' and on the status on the phone says:

GDS Handshake Succeeded
A TLS connection failed...

GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like the TLS connection the expressway, but I don't see anything in the Expressway logs...

There is a bug and it says we need to load a Hydrant cert back into the trust store...
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred

But where do we need to load it? Tomcat Trust? On the Expressways? The bug doesn't say... it needs to be pushed to the phone's trust list, how do you do that?


Thanks!

Jonathan
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
Re: MRA Onboarding via activation code... phone trust list? [ In reply to ]
WIll the phones trust a LetsEncrypt cert ?
Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root CA
certs on a regular basis
The trusted certs in the phone have to be placed there in the software by
Cisco.
This might be a situation where newer code on a phone is required if the
trusted Root CA (or chain) for Lets Encrypt is missing on the phone.

On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff <mhuff@ox.com> wrote:

> I wouldn’t put a lot of weight in the status on the phone with the TLS
> error, I’ve seen that with working phones. Do you have the phone MRA domain
> set? We have a separate device pool for MRA devices so it can set the time
> from external ntp sources. If the time on the phone is off, the crypto
> can fail as well.
>
>
>
> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>
>
>
> *Office: 914-460-4039*
>
> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>
>
> *...........................................................................................................................................*
>
>
>
> *From:* Jonathan Charles <jonvoip@gmail.com>
> *Sent:* Thursday, November 11, 2021 11:50 AM
> *To:* Matthew Huff <mhuff@ox.com>
> *Cc:* Brian Meade <bmeade90@vt.edu>; cisco-voip voyp list <
> cisco-voip@puck.nether.net>
> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
> trust list?
>
>
>
> It is running 12.8... it has been locally reg'd before...
>
>
>
> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mhuff@ox.com> wrote:
>
> In the lab, have you tried setting up the phone without MRA and get the
> firmware uploaded first? Depending on how old the firmware is, you may have
> issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>
>
>
> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>
>
>
> *Office: 914-460-4039*
>
> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>
>
> *...........................................................................................................................................*
>
>
>
> *From:* cisco-voip <cisco-voip-bounces@puck.nether.net> *On Behalf Of *Jonathan
> Charles
> *Sent:* Thursday, November 11, 2021 11:10 AM
> *To:* Brian Meade <bmeade90@vt.edu>
> *Cc:* cisco-voip voyp list <cisco-voip@puck.nether.net>
> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
> trust list?
>
>
>
> On the phone, we see TLS connection failed... the E's cert is signed by
> Let's Encrypt...
>
>
>
> On the Expressway E we see some certificate exchange and then resets in
> the connection...
>
>
>
> MRA works fine for Jabber.... just 8845 Activation Code onboarding is
> failing...
>
>
>
>
>
> Jonathan
>
>
>
> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90@vt.edu> wrote:
>
> What's the console logs show?
>
>
>
> The Expressway needs to be signed by one of the trusted CAs listed that
> are part of the phone firmware.
>
>
>
> The Expressway cert authenticates the phone with the MIC.
>
>
>
> Do you have activation code onboarding enabled under the MRA config on the
> Expressway-C?
>
>
>
> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip@gmail.com> wrote:
>
> So, I set up activation code MRA for an 8845 (lab first)...
>
>
>
> Cloud onboarding worked, got an activation code, tried it out...
>
>
>
> Phone kicks back 'check internet connectivtity' and on the status on the
> phone says:
>
>
>
> GDS Handshake Succeeded
>
> A TLS connection failed...
>
>
>
> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like
> the TLS connection the expressway, but I don't see anything in the
> Expressway logs...
>
>
>
> There is a bug and it says we need to load a Hydrant cert back into the
> trust store...
>
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>
>
>
> But where do we need to load it? Tomcat Trust? On the Expressways? The bug
> doesn't say... it needs to be pushed to the phone's trust list, how do you
> do that?
>
>
>
>
>
> Thanks!
>
>
>
> Jonathan
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
Re: MRA Onboarding via activation code... phone trust list? [ In reply to ]
Yes, they will, the Expressway E was designed around an ACME cert and Let's
Encrypt is super free.

Anyway, I think the issue is between the Expressway and CUCM at this
point... escalating to TAc...


Jonathan

On Thu, Nov 11, 2021 at 4:49 PM Brian V <bvanbens@gmail.com> wrote:

> WIll the phones trust a LetsEncrypt cert ?
> Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root CA
> certs on a regular basis
> The trusted certs in the phone have to be placed there in the software by
> Cisco.
> This might be a situation where newer code on a phone is required if the
> trusted Root CA (or chain) for Lets Encrypt is missing on the phone.
>
> On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff <mhuff@ox.com> wrote:
>
>> I wouldn’t put a lot of weight in the status on the phone with the TLS
>> error, I’ve seen that with working phones. Do you have the phone MRA domain
>> set? We have a separate device pool for MRA devices so it can set the time
>> from external ntp sources. If the time on the phone is off, the crypto
>> can fail as well.
>>
>>
>>
>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>
>>
>>
>> *Office: 914-460-4039*
>>
>> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>>
>>
>> *...........................................................................................................................................*
>>
>>
>>
>> *From:* Jonathan Charles <jonvoip@gmail.com>
>> *Sent:* Thursday, November 11, 2021 11:50 AM
>> *To:* Matthew Huff <mhuff@ox.com>
>> *Cc:* Brian Meade <bmeade90@vt.edu>; cisco-voip voyp list <
>> cisco-voip@puck.nether.net>
>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
>> trust list?
>>
>>
>>
>> It is running 12.8... it has been locally reg'd before...
>>
>>
>>
>> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mhuff@ox.com> wrote:
>>
>> In the lab, have you tried setting up the phone without MRA and get the
>> firmware uploaded first? Depending on how old the firmware is, you may have
>> issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>>
>>
>>
>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>
>>
>>
>> *Office: 914-460-4039*
>>
>> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>>
>>
>> *...........................................................................................................................................*
>>
>>
>>
>> *From:* cisco-voip <cisco-voip-bounces@puck.nether.net> *On Behalf Of *Jonathan
>> Charles
>> *Sent:* Thursday, November 11, 2021 11:10 AM
>> *To:* Brian Meade <bmeade90@vt.edu>
>> *Cc:* cisco-voip voyp list <cisco-voip@puck.nether.net>
>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
>> trust list?
>>
>>
>>
>> On the phone, we see TLS connection failed... the E's cert is signed by
>> Let's Encrypt...
>>
>>
>>
>> On the Expressway E we see some certificate exchange and then resets in
>> the connection...
>>
>>
>>
>> MRA works fine for Jabber.... just 8845 Activation Code onboarding is
>> failing...
>>
>>
>>
>>
>>
>> Jonathan
>>
>>
>>
>> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90@vt.edu> wrote:
>>
>> What's the console logs show?
>>
>>
>>
>> The Expressway needs to be signed by one of the trusted CAs listed that
>> are part of the phone firmware.
>>
>>
>>
>> The Expressway cert authenticates the phone with the MIC.
>>
>>
>>
>> Do you have activation code onboarding enabled under the MRA config on
>> the Expressway-C?
>>
>>
>>
>> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip@gmail.com> wrote:
>>
>> So, I set up activation code MRA for an 8845 (lab first)...
>>
>>
>>
>> Cloud onboarding worked, got an activation code, tried it out...
>>
>>
>>
>> Phone kicks back 'check internet connectivtity' and on the status on the
>> phone says:
>>
>>
>>
>> GDS Handshake Succeeded
>>
>> A TLS connection failed...
>>
>>
>>
>> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like
>> the TLS connection the expressway, but I don't see anything in the
>> Expressway logs...
>>
>>
>>
>> There is a bug and it says we need to load a Hydrant cert back into the
>> trust store...
>>
>> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>>
>>
>>
>> But where do we need to load it? Tomcat Trust? On the Expressways? The
>> bug doesn't say... it needs to be pushed to the phone's trust list, how do
>> you do that?
>>
>>
>>
>>
>>
>> Thanks!
>>
>>
>>
>> Jonathan
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
Re: MRA Onboarding via activation code... phone trust list? [ In reply to ]
OK, TAC never responded to me, but I found the solution.... I did a packet
capture from the phone and saw it come back with an invalid CA for the
Let's Encrypt certs... I uploaded the cert chain for Let's Encrypt to
Phone-Edge-Trust on the CCM Publisher and the phone registered.

Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the phone
gets the activation code it downloads those certs into its trust store.

This cert store is designed for people using their own internal certs, but
my phone was a CP-8845-K9=V03 I got in 2017 and probably predates the Lets
Encrypt CA.... so, if you see TLS error or Invalid CA in the PCAP, it is
worth a shot to upload the E's external cert chain to the Pub.


Jonathan

On Thu, Nov 11, 2021 at 4:57 PM Jonathan Charles <jonvoip@gmail.com> wrote:

> Yes, they will, the Expressway E was designed around an ACME cert and
> Let's Encrypt is super free.
>
> Anyway, I think the issue is between the Expressway and CUCM at this
> point... escalating to TAc...
>
>
> Jonathan
>
> On Thu, Nov 11, 2021 at 4:49 PM Brian V <bvanbens@gmail.com> wrote:
>
>> WIll the phones trust a LetsEncrypt cert ?
>> Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root CA
>> certs on a regular basis
>> The trusted certs in the phone have to be placed there in the software by
>> Cisco.
>> This might be a situation where newer code on a phone is required if the
>> trusted Root CA (or chain) for Lets Encrypt is missing on the phone.
>>
>> On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff <mhuff@ox.com> wrote:
>>
>>> I wouldn’t put a lot of weight in the status on the phone with the TLS
>>> error, I’ve seen that with working phones. Do you have the phone MRA domain
>>> set? We have a separate device pool for MRA devices so it can set the time
>>> from external ntp sources. If the time on the phone is off, the crypto
>>> can fail as well.
>>>
>>>
>>>
>>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>>
>>>
>>>
>>> *Office: 914-460-4039*
>>>
>>> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>>>
>>>
>>> *...........................................................................................................................................*
>>>
>>>
>>>
>>> *From:* Jonathan Charles <jonvoip@gmail.com>
>>> *Sent:* Thursday, November 11, 2021 11:50 AM
>>> *To:* Matthew Huff <mhuff@ox.com>
>>> *Cc:* Brian Meade <bmeade90@vt.edu>; cisco-voip voyp list <
>>> cisco-voip@puck.nether.net>
>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
>>> trust list?
>>>
>>>
>>>
>>> It is running 12.8... it has been locally reg'd before...
>>>
>>>
>>>
>>> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mhuff@ox.com> wrote:
>>>
>>> In the lab, have you tried setting up the phone without MRA and get the
>>> firmware uploaded first? Depending on how old the firmware is, you may have
>>> issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>>>
>>>
>>>
>>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>>
>>>
>>>
>>> *Office: 914-460-4039*
>>>
>>> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>>>
>>>
>>> *...........................................................................................................................................*
>>>
>>>
>>>
>>> *From:* cisco-voip <cisco-voip-bounces@puck.nether.net> *On Behalf Of *Jonathan
>>> Charles
>>> *Sent:* Thursday, November 11, 2021 11:10 AM
>>> *To:* Brian Meade <bmeade90@vt.edu>
>>> *Cc:* cisco-voip voyp list <cisco-voip@puck.nether.net>
>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code... phone
>>> trust list?
>>>
>>>
>>>
>>> On the phone, we see TLS connection failed... the E's cert is signed by
>>> Let's Encrypt...
>>>
>>>
>>>
>>> On the Expressway E we see some certificate exchange and then resets in
>>> the connection...
>>>
>>>
>>>
>>> MRA works fine for Jabber.... just 8845 Activation Code onboarding is
>>> failing...
>>>
>>>
>>>
>>>
>>>
>>> Jonathan
>>>
>>>
>>>
>>> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90@vt.edu> wrote:
>>>
>>> What's the console logs show?
>>>
>>>
>>>
>>> The Expressway needs to be signed by one of the trusted CAs listed that
>>> are part of the phone firmware.
>>>
>>>
>>>
>>> The Expressway cert authenticates the phone with the MIC.
>>>
>>>
>>>
>>> Do you have activation code onboarding enabled under the MRA config on
>>> the Expressway-C?
>>>
>>>
>>>
>>> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip@gmail.com> wrote:
>>>
>>> So, I set up activation code MRA for an 8845 (lab first)...
>>>
>>>
>>>
>>> Cloud onboarding worked, got an activation code, tried it out...
>>>
>>>
>>>
>>> Phone kicks back 'check internet connectivtity' and on the status on the
>>> phone says:
>>>
>>>
>>>
>>> GDS Handshake Succeeded
>>>
>>> A TLS connection failed...
>>>
>>>
>>>
>>> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like
>>> the TLS connection the expressway, but I don't see anything in the
>>> Expressway logs...
>>>
>>>
>>>
>>> There is a bug and it says we need to load a Hydrant cert back into the
>>> trust store...
>>>
>>> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>>>
>>>
>>>
>>> But where do we need to load it? Tomcat Trust? On the Expressways? The
>>> bug doesn't say... it needs to be pushed to the phone's trust list, how do
>>> you do that?
>>>
>>>
>>>
>>>
>>>
>>> Thanks!
>>>
>>>
>>>
>>> Jonathan
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>
Re: MRA Onboarding via activation code... phone trust list? [ In reply to ]
@Jonathan Charles <jonvoip@gmail.com> one very interesting thing you
mentioned
" *Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the phone
gets the activation code it downloads those certs into its trust store.*"
Would you happen to know where that is documented, and if so share the link
? I was not aware of that.
So you did NOT need to bring the phone back inside the network to have it
learn about the new Root CA Trust Cert / Chain ?
thats cool !

On Wed, Nov 17, 2021 at 8:45 AM Jonathan Charles <jonvoip@gmail.com> wrote:

> OK, TAC never responded to me, but I found the solution.... I did a packet
> capture from the phone and saw it come back with an invalid CA for the
> Let's Encrypt certs... I uploaded the cert chain for Let's Encrypt to
> Phone-Edge-Trust on the CCM Publisher and the phone registered.
>
> Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the phone
> gets the activation code it downloads those certs into its trust store.
>
> This cert store is designed for people using their own internal certs, but
> my phone was a CP-8845-K9=V03 I got in 2017 and probably predates the Lets
> Encrypt CA.... so, if you see TLS error or Invalid CA in the PCAP, it is
> worth a shot to upload the E's external cert chain to the Pub.
>
>
> Jonathan
>
> On Thu, Nov 11, 2021 at 4:57 PM Jonathan Charles <jonvoip@gmail.com>
> wrote:
>
>> Yes, they will, the Expressway E was designed around an ACME cert and
>> Let's Encrypt is super free.
>>
>> Anyway, I think the issue is between the Expressway and CUCM at this
>> point... escalating to TAc...
>>
>>
>> Jonathan
>>
>> On Thu, Nov 11, 2021 at 4:49 PM Brian V <bvanbens@gmail.com> wrote:
>>
>>> WIll the phones trust a LetsEncrypt cert ?
>>> Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root CA
>>> certs on a regular basis
>>> The trusted certs in the phone have to be placed there in the software
>>> by Cisco.
>>> This might be a situation where newer code on a phone is required if the
>>> trusted Root CA (or chain) for Lets Encrypt is missing on the phone.
>>>
>>> On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff <mhuff@ox.com> wrote:
>>>
>>>> I wouldn’t put a lot of weight in the status on the phone with the TLS
>>>> error, I’ve seen that with working phones. Do you have the phone MRA domain
>>>> set? We have a separate device pool for MRA devices so it can set the time
>>>> from external ntp sources. If the time on the phone is off, the crypto
>>>> can fail as well.
>>>>
>>>>
>>>>
>>>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>>>
>>>>
>>>>
>>>> *Office: 914-460-4039*
>>>>
>>>> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>>>>
>>>>
>>>> *...........................................................................................................................................*
>>>>
>>>>
>>>>
>>>> *From:* Jonathan Charles <jonvoip@gmail.com>
>>>> *Sent:* Thursday, November 11, 2021 11:50 AM
>>>> *To:* Matthew Huff <mhuff@ox.com>
>>>> *Cc:* Brian Meade <bmeade90@vt.edu>; cisco-voip voyp list <
>>>> cisco-voip@puck.nether.net>
>>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
>>>> phone trust list?
>>>>
>>>>
>>>>
>>>> It is running 12.8... it has been locally reg'd before...
>>>>
>>>>
>>>>
>>>> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mhuff@ox.com> wrote:
>>>>
>>>> In the lab, have you tried setting up the phone without MRA and get the
>>>> firmware uploaded first? Depending on how old the firmware is, you may have
>>>> issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>>>>
>>>>
>>>>
>>>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>>>
>>>>
>>>>
>>>> *Office: 914-460-4039*
>>>>
>>>> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>>>>
>>>>
>>>> *...........................................................................................................................................*
>>>>
>>>>
>>>>
>>>> *From:* cisco-voip <cisco-voip-bounces@puck.nether.net> *On Behalf Of *Jonathan
>>>> Charles
>>>> *Sent:* Thursday, November 11, 2021 11:10 AM
>>>> *To:* Brian Meade <bmeade90@vt.edu>
>>>> *Cc:* cisco-voip voyp list <cisco-voip@puck.nether.net>
>>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
>>>> phone trust list?
>>>>
>>>>
>>>>
>>>> On the phone, we see TLS connection failed... the E's cert is signed by
>>>> Let's Encrypt...
>>>>
>>>>
>>>>
>>>> On the Expressway E we see some certificate exchange and then resets in
>>>> the connection...
>>>>
>>>>
>>>>
>>>> MRA works fine for Jabber.... just 8845 Activation Code onboarding is
>>>> failing...
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Jonathan
>>>>
>>>>
>>>>
>>>> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90@vt.edu> wrote:
>>>>
>>>> What's the console logs show?
>>>>
>>>>
>>>>
>>>> The Expressway needs to be signed by one of the trusted CAs listed that
>>>> are part of the phone firmware.
>>>>
>>>>
>>>>
>>>> The Expressway cert authenticates the phone with the MIC.
>>>>
>>>>
>>>>
>>>> Do you have activation code onboarding enabled under the MRA config on
>>>> the Expressway-C?
>>>>
>>>>
>>>>
>>>> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip@gmail.com>
>>>> wrote:
>>>>
>>>> So, I set up activation code MRA for an 8845 (lab first)...
>>>>
>>>>
>>>>
>>>> Cloud onboarding worked, got an activation code, tried it out...
>>>>
>>>>
>>>>
>>>> Phone kicks back 'check internet connectivtity' and on the status on
>>>> the phone says:
>>>>
>>>>
>>>>
>>>> GDS Handshake Succeeded
>>>>
>>>> A TLS connection failed...
>>>>
>>>>
>>>>
>>>> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like
>>>> the TLS connection the expressway, but I don't see anything in the
>>>> Expressway logs...
>>>>
>>>>
>>>>
>>>> There is a bug and it says we need to load a Hydrant cert back into the
>>>> trust store...
>>>>
>>>> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>>>>
>>>>
>>>>
>>>> But where do we need to load it? Tomcat Trust? On the Expressways? The
>>>> bug doesn't say... it needs to be pushed to the phone's trust list, how do
>>>> you do that?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>> Jonathan
>>>>
>>>> _______________________________________________
>>>> cisco-voip mailing list
>>>> cisco-voip@puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>
>>>> _______________________________________________
>>>> cisco-voip mailing list
>>>> cisco-voip@puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>
>>>
Re: MRA Onboarding via activation code... phone trust list? [ In reply to ]
I asked TAC for it and they just sent me the CAPF doco...

However, I found:
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-7/exwy_b_mra-deployment/exwy_m_provisioning-mra-devices.html

[image: image.png]

But it seems to suggest only your internal CA needs to be in there...


Jonathan

On Wed, Nov 17, 2021 at 4:49 PM Brian V <bvanbens@gmail.com> wrote:

> @Jonathan Charles <jonvoip@gmail.com> one very interesting thing you
> mentioned
> " *Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the
> phone gets the activation code it downloads those certs into its trust
> store.*"
> Would you happen to know where that is documented, and if so share
> the link ? I was not aware of that.
> So you did NOT need to bring the phone back inside the network to have it
> learn about the new Root CA Trust Cert / Chain ?
> thats cool !
>
> On Wed, Nov 17, 2021 at 8:45 AM Jonathan Charles <jonvoip@gmail.com>
> wrote:
>
>> OK, TAC never responded to me, but I found the solution.... I did a
>> packet capture from the phone and saw it come back with an invalid CA for
>> the Let's Encrypt certs... I uploaded the cert chain for Let's Encrypt to
>> Phone-Edge-Trust on the CCM Publisher and the phone registered.
>>
>> Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the phone
>> gets the activation code it downloads those certs into its trust store.
>>
>> This cert store is designed for people using their own internal certs,
>> but my phone was a CP-8845-K9=V03 I got in 2017 and probably predates the
>> Lets Encrypt CA.... so, if you see TLS error or Invalid CA in the PCAP, it
>> is worth a shot to upload the E's external cert chain to the Pub.
>>
>>
>> Jonathan
>>
>> On Thu, Nov 11, 2021 at 4:57 PM Jonathan Charles <jonvoip@gmail.com>
>> wrote:
>>
>>> Yes, they will, the Expressway E was designed around an ACME cert and
>>> Let's Encrypt is super free.
>>>
>>> Anyway, I think the issue is between the Expressway and CUCM at this
>>> point... escalating to TAc...
>>>
>>>
>>> Jonathan
>>>
>>> On Thu, Nov 11, 2021 at 4:49 PM Brian V <bvanbens@gmail.com> wrote:
>>>
>>>> WIll the phones trust a LetsEncrypt cert ?
>>>> Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root
>>>> CA certs on a regular basis
>>>> The trusted certs in the phone have to be placed there in the software
>>>> by Cisco.
>>>> This might be a situation where newer code on a phone is required if
>>>> the trusted Root CA (or chain) for Lets Encrypt is missing on the phone.
>>>>
>>>> On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff <mhuff@ox.com> wrote:
>>>>
>>>>> I wouldn’t put a lot of weight in the status on the phone with the TLS
>>>>> error, I’ve seen that with working phones. Do you have the phone MRA domain
>>>>> set? We have a separate device pool for MRA devices so it can set the time
>>>>> from external ntp sources. If the time on the phone is off, the
>>>>> crypto can fail as well.
>>>>>
>>>>>
>>>>>
>>>>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>>>>
>>>>>
>>>>>
>>>>> *Office: 914-460-4039*
>>>>>
>>>>> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>>>>>
>>>>>
>>>>> *...........................................................................................................................................*
>>>>>
>>>>>
>>>>>
>>>>> *From:* Jonathan Charles <jonvoip@gmail.com>
>>>>> *Sent:* Thursday, November 11, 2021 11:50 AM
>>>>> *To:* Matthew Huff <mhuff@ox.com>
>>>>> *Cc:* Brian Meade <bmeade90@vt.edu>; cisco-voip voyp list <
>>>>> cisco-voip@puck.nether.net>
>>>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
>>>>> phone trust list?
>>>>>
>>>>>
>>>>>
>>>>> It is running 12.8... it has been locally reg'd before...
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mhuff@ox.com> wrote:
>>>>>
>>>>> In the lab, have you tried setting up the phone without MRA and get
>>>>> the firmware uploaded first? Depending on how old the firmware is, you may
>>>>> have issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>>>>>
>>>>>
>>>>>
>>>>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>>>>
>>>>>
>>>>>
>>>>> *Office: 914-460-4039*
>>>>>
>>>>> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>>>>>
>>>>>
>>>>> *...........................................................................................................................................*
>>>>>
>>>>>
>>>>>
>>>>> *From:* cisco-voip <cisco-voip-bounces@puck.nether.net> *On Behalf Of
>>>>> *Jonathan Charles
>>>>> *Sent:* Thursday, November 11, 2021 11:10 AM
>>>>> *To:* Brian Meade <bmeade90@vt.edu>
>>>>> *Cc:* cisco-voip voyp list <cisco-voip@puck.nether.net>
>>>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
>>>>> phone trust list?
>>>>>
>>>>>
>>>>>
>>>>> On the phone, we see TLS connection failed... the E's cert is signed
>>>>> by Let's Encrypt...
>>>>>
>>>>>
>>>>>
>>>>> On the Expressway E we see some certificate exchange and then resets
>>>>> in the connection...
>>>>>
>>>>>
>>>>>
>>>>> MRA works fine for Jabber.... just 8845 Activation Code onboarding is
>>>>> failing...
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Jonathan
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90@vt.edu> wrote:
>>>>>
>>>>> What's the console logs show?
>>>>>
>>>>>
>>>>>
>>>>> The Expressway needs to be signed by one of the trusted CAs listed
>>>>> that are part of the phone firmware.
>>>>>
>>>>>
>>>>>
>>>>> The Expressway cert authenticates the phone with the MIC.
>>>>>
>>>>>
>>>>>
>>>>> Do you have activation code onboarding enabled under the MRA config on
>>>>> the Expressway-C?
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip@gmail.com>
>>>>> wrote:
>>>>>
>>>>> So, I set up activation code MRA for an 8845 (lab first)...
>>>>>
>>>>>
>>>>>
>>>>> Cloud onboarding worked, got an activation code, tried it out...
>>>>>
>>>>>
>>>>>
>>>>> Phone kicks back 'check internet connectivtity' and on the status on
>>>>> the phone says:
>>>>>
>>>>>
>>>>>
>>>>> GDS Handshake Succeeded
>>>>>
>>>>> A TLS connection failed...
>>>>>
>>>>>
>>>>>
>>>>> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't
>>>>> like the TLS connection the expressway, but I don't see anything in the
>>>>> Expressway logs...
>>>>>
>>>>>
>>>>>
>>>>> There is a bug and it says we need to load a Hydrant cert back into
>>>>> the trust store...
>>>>>
>>>>> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>>>>>
>>>>>
>>>>>
>>>>> But where do we need to load it? Tomcat Trust? On the Expressways? The
>>>>> bug doesn't say... it needs to be pushed to the phone's trust list, how do
>>>>> you do that?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Thanks!
>>>>>
>>>>>
>>>>>
>>>>> Jonathan
>>>>>
>>>>> _______________________________________________
>>>>> cisco-voip mailing list
>>>>> cisco-voip@puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>
>>>>> _______________________________________________
>>>>> cisco-voip mailing list
>>>>> cisco-voip@puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>
>>>>
Re: MRA Onboarding via activation code... phone trust list? [ In reply to ]
I will note that I am seeing EXTREMELY long registration and
re-registration times for the MRA phones... like 10 minutes+

It appears to cycle between downloading TFTP and VPN Not Configured and
then eventually registers...

No errors, just takes forever.


Jonathan

On Wed, Nov 17, 2021 at 5:00 PM Jonathan Charles <jonvoip@gmail.com> wrote:

> I asked TAC for it and they just sent me the CAPF doco...
>
> However, I found:
>
> https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-7/exwy_b_mra-deployment/exwy_m_provisioning-mra-devices.html
>
> [image: image.png]
>
> But it seems to suggest only your internal CA needs to be in there...
>
>
> Jonathan
>
> On Wed, Nov 17, 2021 at 4:49 PM Brian V <bvanbens@gmail.com> wrote:
>
>> @Jonathan Charles <jonvoip@gmail.com> one very interesting thing you
>> mentioned
>> " *Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the
>> phone gets the activation code it downloads those certs into its trust
>> store.*"
>> Would you happen to know where that is documented, and if so share
>> the link ? I was not aware of that.
>> So you did NOT need to bring the phone back inside the network to have it
>> learn about the new Root CA Trust Cert / Chain ?
>> thats cool !
>>
>> On Wed, Nov 17, 2021 at 8:45 AM Jonathan Charles <jonvoip@gmail.com>
>> wrote:
>>
>>> OK, TAC never responded to me, but I found the solution.... I did a
>>> packet capture from the phone and saw it come back with an invalid CA for
>>> the Let's Encrypt certs... I uploaded the cert chain for Let's Encrypt to
>>> Phone-Edge-Trust on the CCM Publisher and the phone registered.
>>>
>>> Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the phone
>>> gets the activation code it downloads those certs into its trust store.
>>>
>>> This cert store is designed for people using their own internal certs,
>>> but my phone was a CP-8845-K9=V03 I got in 2017 and probably predates the
>>> Lets Encrypt CA.... so, if you see TLS error or Invalid CA in the PCAP, it
>>> is worth a shot to upload the E's external cert chain to the Pub.
>>>
>>>
>>> Jonathan
>>>
>>> On Thu, Nov 11, 2021 at 4:57 PM Jonathan Charles <jonvoip@gmail.com>
>>> wrote:
>>>
>>>> Yes, they will, the Expressway E was designed around an ACME cert and
>>>> Let's Encrypt is super free.
>>>>
>>>> Anyway, I think the issue is between the Expressway and CUCM at this
>>>> point... escalating to TAc...
>>>>
>>>>
>>>> Jonathan
>>>>
>>>> On Thu, Nov 11, 2021 at 4:49 PM Brian V <bvanbens@gmail.com> wrote:
>>>>
>>>>> WIll the phones trust a LetsEncrypt cert ?
>>>>> Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root
>>>>> CA certs on a regular basis
>>>>> The trusted certs in the phone have to be placed there in the software
>>>>> by Cisco.
>>>>> This might be a situation where newer code on a phone is required if
>>>>> the trusted Root CA (or chain) for Lets Encrypt is missing on the phone.
>>>>>
>>>>> On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff <mhuff@ox.com> wrote:
>>>>>
>>>>>> I wouldn’t put a lot of weight in the status on the phone with the
>>>>>> TLS error, I’ve seen that with working phones. Do you have the phone MRA
>>>>>> domain set? We have a separate device pool for MRA devices so it can set
>>>>>> the time from external ntp sources. If the time on the phone is off,
>>>>>> the crypto can fail as well.
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Matthew Huff* | Director of Technical Operations | OTA Management
>>>>>> LLC
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Office: 914-460-4039*
>>>>>>
>>>>>> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>>>>>>
>>>>>>
>>>>>> *...........................................................................................................................................*
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* Jonathan Charles <jonvoip@gmail.com>
>>>>>> *Sent:* Thursday, November 11, 2021 11:50 AM
>>>>>> *To:* Matthew Huff <mhuff@ox.com>
>>>>>> *Cc:* Brian Meade <bmeade90@vt.edu>; cisco-voip voyp list <
>>>>>> cisco-voip@puck.nether.net>
>>>>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
>>>>>> phone trust list?
>>>>>>
>>>>>>
>>>>>>
>>>>>> It is running 12.8... it has been locally reg'd before...
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mhuff@ox.com> wrote:
>>>>>>
>>>>>> In the lab, have you tried setting up the phone without MRA and get
>>>>>> the firmware uploaded first? Depending on how old the firmware is, you may
>>>>>> have issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Matthew Huff* | Director of Technical Operations | OTA Management
>>>>>> LLC
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Office: 914-460-4039*
>>>>>>
>>>>>> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>>>>>>
>>>>>>
>>>>>> *...........................................................................................................................................*
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* cisco-voip <cisco-voip-bounces@puck.nether.net> *On Behalf
>>>>>> Of *Jonathan Charles
>>>>>> *Sent:* Thursday, November 11, 2021 11:10 AM
>>>>>> *To:* Brian Meade <bmeade90@vt.edu>
>>>>>> *Cc:* cisco-voip voyp list <cisco-voip@puck.nether.net>
>>>>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
>>>>>> phone trust list?
>>>>>>
>>>>>>
>>>>>>
>>>>>> On the phone, we see TLS connection failed... the E's cert is signed
>>>>>> by Let's Encrypt...
>>>>>>
>>>>>>
>>>>>>
>>>>>> On the Expressway E we see some certificate exchange and then resets
>>>>>> in the connection...
>>>>>>
>>>>>>
>>>>>>
>>>>>> MRA works fine for Jabber.... just 8845 Activation Code onboarding is
>>>>>> failing...
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Jonathan
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90@vt.edu> wrote:
>>>>>>
>>>>>> What's the console logs show?
>>>>>>
>>>>>>
>>>>>>
>>>>>> The Expressway needs to be signed by one of the trusted CAs listed
>>>>>> that are part of the phone firmware.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The Expressway cert authenticates the phone with the MIC.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Do you have activation code onboarding enabled under the MRA config
>>>>>> on the Expressway-C?
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> So, I set up activation code MRA for an 8845 (lab first)...
>>>>>>
>>>>>>
>>>>>>
>>>>>> Cloud onboarding worked, got an activation code, tried it out...
>>>>>>
>>>>>>
>>>>>>
>>>>>> Phone kicks back 'check internet connectivtity' and on the status on
>>>>>> the phone says:
>>>>>>
>>>>>>
>>>>>>
>>>>>> GDS Handshake Succeeded
>>>>>>
>>>>>> A TLS connection failed...
>>>>>>
>>>>>>
>>>>>>
>>>>>> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't
>>>>>> like the TLS connection the expressway, but I don't see anything in the
>>>>>> Expressway logs...
>>>>>>
>>>>>>
>>>>>>
>>>>>> There is a bug and it says we need to load a Hydrant cert back into
>>>>>> the trust store...
>>>>>>
>>>>>> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>>>>>>
>>>>>>
>>>>>>
>>>>>> But where do we need to load it? Tomcat Trust? On the Expressways?
>>>>>> The bug doesn't say... it needs to be pushed to the phone's trust list, how
>>>>>> do you do that?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>>
>>>>>>
>>>>>> Jonathan
>>>>>>
>>>>>> _______________________________________________
>>>>>> cisco-voip mailing list
>>>>>> cisco-voip@puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>>
>>>>>> _______________________________________________
>>>>>> cisco-voip mailing list
>>>>>> cisco-voip@puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>>
>>>>>
Re: MRA Onboarding via activation code... phone trust list? [ In reply to ]
The phone CA Trust List is part of the phone firmware.

I think this is still the latest-
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cuipph/all_models/ca-list/CA-Trust-List.pdf

I don't see Let's Encrypt in there.

On Wed, Nov 17, 2021 at 9:53 AM Jonathan Charles <jonvoip@gmail.com> wrote:

> OK, TAC never responded to me, but I found the solution.... I did a packet
> capture from the phone and saw it come back with an invalid CA for the
> Let's Encrypt certs... I uploaded the cert chain for Let's Encrypt to
> Phone-Edge-Trust on the CCM Publisher and the phone registered.
>
> Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the phone
> gets the activation code it downloads those certs into its trust store.
>
> This cert store is designed for people using their own internal certs, but
> my phone was a CP-8845-K9=V03 I got in 2017 and probably predates the Lets
> Encrypt CA.... so, if you see TLS error or Invalid CA in the PCAP, it is
> worth a shot to upload the E's external cert chain to the Pub.
>
>
> Jonathan
>
> On Thu, Nov 11, 2021 at 4:57 PM Jonathan Charles <jonvoip@gmail.com>
> wrote:
>
>> Yes, they will, the Expressway E was designed around an ACME cert and
>> Let's Encrypt is super free.
>>
>> Anyway, I think the issue is between the Expressway and CUCM at this
>> point... escalating to TAc...
>>
>>
>> Jonathan
>>
>> On Thu, Nov 11, 2021 at 4:49 PM Brian V <bvanbens@gmail.com> wrote:
>>
>>> WIll the phones trust a LetsEncrypt cert ?
>>> Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root CA
>>> certs on a regular basis
>>> The trusted certs in the phone have to be placed there in the software
>>> by Cisco.
>>> This might be a situation where newer code on a phone is required if the
>>> trusted Root CA (or chain) for Lets Encrypt is missing on the phone.
>>>
>>> On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff <mhuff@ox.com> wrote:
>>>
>>>> I wouldn’t put a lot of weight in the status on the phone with the TLS
>>>> error, I’ve seen that with working phones. Do you have the phone MRA domain
>>>> set? We have a separate device pool for MRA devices so it can set the time
>>>> from external ntp sources. If the time on the phone is off, the crypto
>>>> can fail as well.
>>>>
>>>>
>>>>
>>>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>>>
>>>>
>>>>
>>>> *Office: 914-460-4039*
>>>>
>>>> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>>>>
>>>>
>>>> *...........................................................................................................................................*
>>>>
>>>>
>>>>
>>>> *From:* Jonathan Charles <jonvoip@gmail.com>
>>>> *Sent:* Thursday, November 11, 2021 11:50 AM
>>>> *To:* Matthew Huff <mhuff@ox.com>
>>>> *Cc:* Brian Meade <bmeade90@vt.edu>; cisco-voip voyp list <
>>>> cisco-voip@puck.nether.net>
>>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
>>>> phone trust list?
>>>>
>>>>
>>>>
>>>> It is running 12.8... it has been locally reg'd before...
>>>>
>>>>
>>>>
>>>> On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff <mhuff@ox.com> wrote:
>>>>
>>>> In the lab, have you tried setting up the phone without MRA and get the
>>>> firmware uploaded first? Depending on how old the firmware is, you may have
>>>> issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.
>>>>
>>>>
>>>>
>>>> *Matthew Huff* | Director of Technical Operations | OTA Management LLC
>>>>
>>>>
>>>>
>>>> *Office: 914-460-4039*
>>>>
>>>> *mhuff@ox.com <mhuff@ox.com> | **www.ox.com <http://www.ox.com>*
>>>>
>>>>
>>>> *...........................................................................................................................................*
>>>>
>>>>
>>>>
>>>> *From:* cisco-voip <cisco-voip-bounces@puck.nether.net> *On Behalf Of *Jonathan
>>>> Charles
>>>> *Sent:* Thursday, November 11, 2021 11:10 AM
>>>> *To:* Brian Meade <bmeade90@vt.edu>
>>>> *Cc:* cisco-voip voyp list <cisco-voip@puck.nether.net>
>>>> *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
>>>> phone trust list?
>>>>
>>>>
>>>>
>>>> On the phone, we see TLS connection failed... the E's cert is signed by
>>>> Let's Encrypt...
>>>>
>>>>
>>>>
>>>> On the Expressway E we see some certificate exchange and then resets in
>>>> the connection...
>>>>
>>>>
>>>>
>>>> MRA works fine for Jabber.... just 8845 Activation Code onboarding is
>>>> failing...
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Jonathan
>>>>
>>>>
>>>>
>>>> On Tue, Nov 9, 2021 at 5:57 PM Brian Meade <bmeade90@vt.edu> wrote:
>>>>
>>>> What's the console logs show?
>>>>
>>>>
>>>>
>>>> The Expressway needs to be signed by one of the trusted CAs listed that
>>>> are part of the phone firmware.
>>>>
>>>>
>>>>
>>>> The Expressway cert authenticates the phone with the MIC.
>>>>
>>>>
>>>>
>>>> Do you have activation code onboarding enabled under the MRA config on
>>>> the Expressway-C?
>>>>
>>>>
>>>>
>>>> On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles <jonvoip@gmail.com>
>>>> wrote:
>>>>
>>>> So, I set up activation code MRA for an 8845 (lab first)...
>>>>
>>>>
>>>>
>>>> Cloud onboarding worked, got an activation code, tried it out...
>>>>
>>>>
>>>>
>>>> Phone kicks back 'check internet connectivtity' and on the status on
>>>> the phone says:
>>>>
>>>>
>>>>
>>>> GDS Handshake Succeeded
>>>>
>>>> A TLS connection failed...
>>>>
>>>>
>>>>
>>>> GDS is Cisco's cloud onboarding thingy.... I am assuming it didn't like
>>>> the TLS connection the expressway, but I don't see anything in the
>>>> Expressway logs...
>>>>
>>>>
>>>>
>>>> There is a bug and it says we need to load a Hydrant cert back into the
>>>> trust store...
>>>>
>>>> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67257?rfs=iqvred
>>>>
>>>>
>>>>
>>>> But where do we need to load it? Tomcat Trust? On the Expressways? The
>>>> bug doesn't say... it needs to be pushed to the phone's trust list, how do
>>>> you do that?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>> Jonathan
>>>>
>>>> _______________________________________________
>>>> cisco-voip mailing list
>>>> cisco-voip@puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>
>>>> _______________________________________________
>>>> cisco-voip mailing list
>>>> cisco-voip@puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>
>>> _______________________________________________
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>