Yealink IP Phones W52P not authenticating Asterisk server

Help
1

In Oct 2021 I renewed the certificate for my Asterisk server. While most SIP clients (like Android softphones) were not affected, Yealink IP phones could no longer authenticate the server using SIPS (TLS). There were no error messages anywhere, just offline phones, and this complicated the situation considerably.

Solution: remove the superfluous cross-certificate from fullchain.pem This third certificate confused the phones. They expect only two certificates: the server certificate and the intermediate certificate.

Background info: The Letsencrypt root is actually installed on W52P, hence the general advice that a missing root certificate be the problem was not helpful. However:not all Yealink phones do have the Letsencrypt roots in their firmware, and in some devices this depends on firmware version.

I am posting this here for documentation and because it may help someone.

3 Likes
2

Thanks for the info :slight_smile:

Do you happen to know from which firmware version and onwards Yealink added the ISRG Root X1 root certificate?

1 Like
3

The inclusion of ISRG Root X1 depends not only on firmware version but also on phone model. The documentation on the Yealink website appears to be accurate, e.g. Yealink Support

2 Likes
4

Hi @xrtc welcome to the LE community forum :slight_smile:

And after:

Are the Android softphones still (remaining) unaffected?

5

Yes, removing the third (cross-signed) certificate from fullchain.pem solved the problem for the Yealink phones (model W52P) without creating issues for linphone for android, Linphone | F-Droid - Free and Open Source Android App Repository

I did not test other softphone clients. Now everything works as it did in September 2021.

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.