×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Equinox and certificates

Equinox and certificates

Equinox and certificates

(OP)
Hi

I am trying to set up Equinox using TLS, however certificates are driving me nuts!
I am just a simple telephone engineer and not an IT security guru :)

This is on an IP500, I have the cert from the 500 installed on my PC OK, works fine with Web manager.

When I try to configure Equinox vis 46xxsettings.txt it fails with a red triangle and the message 'Failed to parse all certificates'

could anyone shed any light on this for me please?

Cheers

RE: Equinox and certificates

Is there a 46xxsetting.txt file in your directory?

If so, delete it, and let the system auto=generate a new one.

As long as you have the SIP registrar and other settings setup properly, should be good then

RE: Equinox and certificates

(OP)
No, I am using the auto generated one with any changes in 46xxspecials.txt (which only relates to making K175 Vantage use TCP instead of TLS)

RE: Equinox and certificates

Buy a UCC cert from go daddy and set your SANs (Subject Alternative Names) with your FDQN and SIP domain names. Equninox is quite picky with TLS certs. wildcards (*.domain type) are not allowed with SIP traffic.

This way you don't need to install anything on the PC, it will 'just work' with the auto gen 46xx.

Just to note though. When using these type of certs there seems to be a mjor issue with ASBCE not likeing them with J100s which we have out with Avaya currently.

Jamie Green

Avaya Registered Specialist Engineer

RE: Equinox and certificates

(OP)
jamie77 - I was coming to the conclusion that a 3rd party cert was the only way I was going to sort iy.
The self signed ones cause no end of bother.

Cheers

RE: Equinox and certificates

Definitely go the UCC SAN cert route. It will work better and is more secure.

Not recommending it but I have got it working with Wildcards. Search this forum and I'm sure you'll find it in one of the J100 or Equinox threads. Works with both (no SBC).

@jamie77 - thanks for the heads up on the TLS and ASBCE - Classic Avaya. Although now there is TLS and encrypted calls we don't deploy SBC's for remote access. We only use them for SIP trunking. We use Sonus (Ribbon).

What kills me was how easy it was to connect a Polycom via TLS to the IP Office when it took me weeks to get it working with Avaya's own products!

ACSS (SME)

RE: Equinox and certificates

Thats why we love 'em!! Evrything is so easy!!!

Jamie Green

Avaya Registered Specialist Engineer

RE: Equinox and certificates

(OP)
Equinox works OK using TCP, in-house but I get a constant warning triangle that the Contact Service is Unavailable?

RE: Equinox and certificates

I have setup a lot of Equinox with Certs.

Its all in the Knowledge base.

Piece of advice do not touch 46xxsettings file keep it autogenerated unless you have expierence with Custom Certs, this is not needed in this case.

RE: Equinox and certificates

(OP)
Hi Folks

I have a Go daddy UCC cert set with the FQDN and SIP domain.
I have it set in the IPO and if I browsae to the URL for Web Manager I get a padlock and the browser reports it's all OK

Equinox still doesn't not like it. The 46xxsettings is auto gen, do I need to save the cert as WebRootCA.pem and upload it somewhere?
Any tips?
It's driving me nuts!

Cheers!

RE: Equinox and certificates

(OP)
I should add that I am having problems with the mobile app on Android.
The desktop app in-house seesm fine with the new cert.

RE: Equinox and certificates

"do I need to save the cert as WebRootCA.pem and upload it somewhere?"

Yes, to System > Primary folder.

Double check the .PEM file here to make sure you have the right one

Link

ACSS (SME)

RE: Equinox and certificates

(OP)
Hmm, same issue.

Strangely if I look at the certificates in Web Manager using Chrome I see The Certificate.
If I use IE I do not.

I exported the cert via Chrome Web manager

RE: Equinox and certificates

Did you upload the intermediate certificate?

ACSS (SME)

RE: Equinox and certificates

(OP)
I got back from Go Daddy our actual cert and a bundle cert wich I assume inludes the intermediate and Go daddy root ca cert?
Cany upload the bundle though, says it's an invalid certificate
I have out cert set in the IPO and the Go Daddy root ca, although not sure I should need that?

Would I upload the intern
mediate to the trusted certificate store?

RE: Equinox and certificates

(OP)
I have this

RE: Equinox and certificates

You usually need to enable "Offer ID Certificate Chain".

"Trying is the first step to failure..." - Homer

RE: Equinox and certificates

(OP)
I enabled Offer ID Certificate Chain (Via Manager Security, Web manager would not let me do it)

Now the error on Equinox has changed from saying there is a problem with the certificate to 'Configuration Pasring Error'
(I am setting up via the 46xxsettings.txt file.)
Progress?

RE: Equinox and certificates

I don't get how you exported the Cert from Chrome.

You should have a PFX cert with the certificate and the intermediate that you import through the web interface.

"Trying is the first step to failure..." - Homer

RE: Equinox and certificates

Go Daddy will give you your ID Cert, a key file and the CA/Root Bundle (gd-bundle-g2-g1.crt). Put all these together as a .P12 and upload in to the IPO. It will put everything in the right places for you.

Jamie Green

Avaya Registered Specialist Engineer

RE: Equinox and certificates

(OP)
Hi Jamie

Yes did that using openSSL and the private key on a Linux machine, and the IPO accepted the P12 so I think that's all in place.

RE: Equinox and certificates

(OP)
So I see different things whether I look at the certificates in Chrome, IE or via manager Security settings.
In Manager I get the below.

The highlighted cert is the intermediate I think:-

RE: Equinox and certificates

Looks just like ours, but in a different order. Not sure the order matters though! The one with a blank name is a Go Daddy one too.

Ours is using an auto gen 46xx. Only other thing is SIP domains etc in the LAN settings. Should work like that.

Can you reset Equinox (Settings>Support>Reset Application) and let it load everything again?

Jamie Green

Avaya Registered Specialist Engineer

RE: Equinox and certificates

(OP)
Hi Jamie

Yep, I have reset the app about 400 times :D

I will doible check the SIP domains in the IPO but if I need to change I will have to do that tonight due to rebooting.

It's interesting that once I have enabled Offer certifate chain it stopped complaining about the certificate and started complaining about the configuration pasing error.
This is with an auto gen 46xx.
If I set up the app manually it seesm to work but I get a red triagnle complaining the telephony is not connected even though I can make a call.
Very odd

Thanks for all the help everyone, much appreciated

RE: Equinox and certificates

But this is only the IP Office, don't you need to install the certificate through Platform View so the certificate gets installed on all applications? , at least that was the way when implementing One-X or WebRTC.

"Trying is the first step to failure..." - Homer

RE: Equinox and certificates

I did ours via Manager security only.

Jamie Green

Avaya Registered Specialist Engineer

RE: Equinox and certificates

(OP)
I have struggled to upload certificates via Web manager, they often get rejected as invalid certificate.
Also see above about different browsers

RE: Equinox and certificates

(OP)
Hi

Thanks for the post

I tried the SSL checker and it's green ticks all the way :)

I did follow that tutorial, mostly, as we are on an IP500 so I can't SSH to it (that I'm aware of!)

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close