×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Reoccurring certificate warnings on phones
2

Reoccurring certificate warnings on phones

Reoccurring certificate warnings on phones

(OP)
This is for an IPO running 11.1.1.0.0 with 9608 desk phones.

We have been having a minor issue at a customer site where their phones will display a warning about an expired certificate. We've tried regenerating (and rebooting) but the error always seems to return. The cert itself isn't showing as expired and I'm running out of ideas as to how to fix this.

I've gone so far as update the 46xxsettings so that it does not display certificate expiration warning messages (this worked for a few months but recently seems to have stopped)


This is the cert in question:


Old photo from a phone with the message:


I'm hoping someone far smarter than me will have idea as to what exactly I've missed to resolve this. Any ideas?

RE: Reoccurring certificate warnings on phones

2
The phone time is year 2023 but the certificate's validity starts in 2024. So from the phone's point it view it is out of the valid time range. Probably no evermore thought of the option that a certificate could begin to be valid in the future and so the message is that it is expired.

Ensure that your IPO has a valid and working time source.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

RE: Reoccurring certificate warnings on phones

I see you have called me? ow that was last year censored

BAZINGA!

I'm not insane, my mother had me tested!

RE: Reoccurring certificate warnings on phones

The post states that it is an older photo so the date may not be the issue.

Dermis and feline can be divorced by manifold methods.*
*(Disclaimer for all advise given)--'Version Dependent'

RE: Reoccurring certificate warnings on phones

(OP)

Quote (derfloh)

The phone time is year 2023 but the certificate's validity starts in 2024. So from the phone's point it view it is out of the valid time range. Probably no evermore thought of the option that a certificate could begin to be valid in the future and so the message is that it is expired.

Ensure that your IPO has a valid and working time source.
That is an old photo - just to show an example of the message. The certificate has been regenerated multiple times since it was taken.

The IPO is using pool.ntp.org as a time service. Time on the phones is always correct to local time.

RE: Reoccurring certificate warnings on phones

"That is an old photo - just to show an example of the message." - Still not a good example. That certificate was within 60-days of expiring, which is within the period when the IP Office starts sending out warnings.

Perhaps you'll share more current information about the current certificate and the current warning.

And more importantly, don't edit the 46xxsettings.txt file, use the 46xxspecials.txt if you really need to change things. Letting the IP Office auto-generate the 46xxsettings.txt file is usually more reliable as the IP Office automatically changes the auto-generated file to match changes in the system configuration.

Stuck in a never ending cycle of file copying.

RE: Reoccurring certificate warnings on phones

(OP)

Quote (sizbut)

Perhaps you'll share more current information about the current certificate and the current warning.
The certificate pictured is current. I'll try and get a current photo of the warning. I work remotely from this IPO so I can't just walk up to a phone myself to get that.

Quote (sizbut)

And more importantly, don't edit the 46xxsettings.txt file, use the 46xxspecials.txt if you really need to change things. Letting the IP Office auto-generate the 46xxsettings.txt file is usually more reliable as the IP Office automatically changes the auto-generated file to match changes in the system configuration.
I realize this, but that was the only way a few months ago I got any progress in getting rid of that warning and was based off of this post.

RE: Reoccurring certificate warnings on phones

(OP)
Here is a current photo of the warning on a phone:


The cert I thought is referenced in it is the one in the original post - which, again, has been regenerated, IPO rebooted and phones rebooted several times now. We first got reports of this issue November last year. In January, I thought I had found a fix adding SET CERT_WARNING_DAYS 0 to 46xxsettings. Phones started having the warning again end of May. The message can be cleared but it comes back. Its not the same phones each time the issue occurs (as in the extensions reported back in November are not the same as the ones reported now) and when it is occurring, the same extensions seem to get the message again and again.

Here is all the trusted cert store:

DigiCert SHA2 - Valid from 2013-03-08 to 2023-03-08
DigiCert - Valid from 2006-11-09 to 2031-11-09
ISRG - Valid from 2015-06-04 to 2035-06-04
GTS R1 - Valid from 2016-06-21 to 2036-06-21
GTS R2 - Valid from 2016-06-21 to 2036-06-21
Entrust - Valid from 2015-10-05 to 2030-12-05
(not pictured) SIP Product Certificate Authority - Valid from 2003-07-24 to 2027-08-07

The only suspicious one to me is the DigiCert SHA2 one, but we didn't start getting reports of this problem until November 2023.

I really am hoping someone can spot the really stupid thing I am overlooking.

RE: Reoccurring certificate warnings on phones

the certificate you are looking for is the selfsigned certificate over top of the screen you posted. You see the issuer is your systems MAC address .avaya....

You need to recreate that and then a reboot on the phone should be resolving it until it expires again which depends on your system release.

Joe
FHandw, ACSS, ACIS

https://www.millsidetc.com/

RE: Reoccurring certificate warnings on phones

(OP)
To be clear, do you mean this cert?


Cause I've regenerated that one several times. I must be misunderstanding your advice.

RE: Reoccurring certificate warnings on phones

That is the one I meant. Check the expiry via the view option.
If that is valid then the phones are not grabbing the new certificate.

Joe
FHandw, ACSS, ACIS

https://www.millsidetc.com/

RE: Reoccurring certificate warnings on phones

(OP)
That's showing as valid from 2024-01-07 to 2026-04-11 so I guess the phones aren't grabbing the new certificate, which helps as an understanding of the problem but I'm not sure how to resolve that.

RE: Reoccurring certificate warnings on phones

(OP)
The date of expiration is the same as pictured and previously stated. The serial number on the certificate doesn't match though and I'm not sure why or how to resolve that.

RE: Reoccurring certificate warnings on phones

Just a shot in the dark but, have you tried factory defaulting/ clear the phones?

RE: Reoccurring certificate warnings on phones

(OP)
Not a bad shot in the dark - it's something I've considered as well but haven't done as it seemed like a bit of an extreme solution to a problem that so far has been more annoying and confusing rather than truly detrimental.

I can certainly could give that a try.

RE: Reoccurring certificate warnings on phones

We have found if a certificate expires before you update it, the phones will not pick it up, they error out on the old expired certificate and will need defaulting to clear it out. Once they have the old cert cleared out they will pick up the new one.

This also applies if one of the trusted root certificates expire too, you need to make sure they are all up to date before clearing the phones. The DigiCert SHA2 certificate on our system expires in 2030, so i would make sure that is up to date too.

“Some humans would do anything to see if it was possible to do it.
If you put a large switch in some cave somewhere, with a sign on it saying 'End-of-the-World Switch. PLEASE DO NOT TOUCH'.
The paint wouldn't even have time to dry.”

Terry Pratchet

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close