Phones accessing HTTPS URLs

Version 1
    This document was generated from CDN thread

    Created by: JAMES DEPHILLIP II on 18-03-2013 06:48:25 PM
    Do the phones not support HTTPS URLs? I can not connect to any HTTPS pages on a 7965 or 9971. HTTP access works just fine and HTTPS access from a PC works without an issue. I would like to use HTTPS for CiscoIPPhoneInput and a few other things in my apps.
    Thanks,
    Jim

    Subject: RE: Phones accessing HTTPS URLs
    Replied by: JAMES DEPHILLIP II on 18-03-2013 06:59:16 PM
    Here is a log capture. Do they not support self signed certs?
     
    3757: ERR 19:53:10.673705 SECD: EROR:clpSetupSsl: SSL/TLS handshake failed, <192.168.1.100> c:12 s:11
    3758: ERR 19:53:10.674468 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, <192.168.1.100> c:12 s:11
    3759: ERR 19:53:10.675390 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr<192.168.1.100>
    3760: ERR 19:53:10.676334 SECD: EROR:secErr_errStr:  *** bad err table ***
    3761: ERR 19:53:10.677057 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)
    3762: ERR 19:53:10.677954 SECD: EROR:clpSndStatus: ** SEC-ERR: desc <HTTPS cert failed auth via TVS>

    Subject: RE: Phones accessing HTTPS URLs
    Replied by: Jeffrey Ness on 18-03-2013 09:22:58 PM
    2 gotcha's with using Secure Service URLs:

    #1 it tends to not work on port 443 (there is a bug for this, since the Cisco products are Tomcat based they use 8443).
    #2 The error you posted is showing the CUCM servers do not trust your web server's SSL certificate. You need to load the web server certificate into the appropriate phone trust store from the OS Admin side. (Depending on CUCM version you may have to do this on every node in the cluster or it may replicate automatically.) Yes it does require the public certificate from the WEB SERVER, not the issuing CA certificate. If you are using CTL (secure mode) you will need to resign the CTL after loading the certificate.

    Subject: RE: Phones accessing HTTPS URLs
    Replied by: JAMES DEPHILLIP II on 19-03-2013 05:50:01 PM
    I have uploaded the public certificate from the server to CUCM as a phone trust and i still am having issues. Here is a cature from the CUCM TVS debug. Any ideas what is going on? I also tried uploading it to tomcat-trust and phone-sast-trust and it still will not work. I have also rebooted the server (only one in the cluster).
     
    8:08:11.432 |   debug CertificateCTLCache::getCertificateInformation - Looking up the certificate cache using Unique MAP ID : B4A46CAFEA2C8D20;OU=Lab;O=Lab;L=LaPlata;ST=MD;C=U
    18:08:11.432 |<--debug 
    18:08:11.432 |-->debug 
    18:08:11.432 |   debug ERROR:CertificateCTLCache::getCertificateInformation - Cannot find the certificate in the cache
    18:08:11.432 |<--debug 
    18:08:11.432 |-->debug 
    18:08:11.432 |   debug getCertificateInformation(cert) : certificate not found
    18:08:11.432 |<--debug 
    18:08:11.432 |-->debug 
    18:08:11.432 |   debug 13:UNKNOWN:No associated roles found for the certificate in cache
    18:08:11.432 |<--debug 

    Subject: RE: Phones accessing HTTPS URLs
    Replied by: JAMES DEPHILLIP II on 19-03-2013 08:10:43 PM
    I tried that as well and it still does not work. Also I changed it to port 8443. I also tried this on a 8.5.1 and 8.6.2a cluster. I am so lost now on this...

    Subject: RE: Phones accessing HTTPS URLs
    Replied by: Jeffrey Ness on 19-03-2013 07:06:19 PM
    I found on 8.5(1) I needed to have the certificate in the Phone-CTL-Trust store and then when looking at it in the CUCM Administration System > Security > Certificates it shows for the Application Server role.

    Subject: RE: New Message from JAMES DEPHILLIP II in IP Phone Services (IPPS) - IP Ph
    Replied by: Dennis Heim on 19-03-2013 09:30:35 PM
    What store did it need to be added to?

    Dennis Heim | Sr. Unified Collaboration Team Lead
    World Wide Technology | 314.212.1814 | dennis.heim@wwt.com<mailto:dennis.heim@wwt.com>
    “Creating Impact, Ignition & Scalability”

    From: Cisco Developer Community Forums [mailto:cdicuser@developer.cisco.com]
    Sent: Tuesday, March 19, 2013 10:21 PM
    To: cdicuser@developer.cisco.com
    Subject: New Message from JAMES DEPHILLIP II in IP Phone Services (IPPS) - IP Phone Services Questions: RE: Phones accessing HTTPS URLs

    JAMES DEPHILLIP II has created a new message in the forum "IP Phone Services Questions": -------------------------------------------------------------- I got it!!! The cert needs to be Version 3!
    --
    To respond to this post, please click the following link: http://developer.cisco.com/web/ipps/community/-/message_boards/view_message/13276585 or simply reply to this email.

    Subject: RE: Phones accessing HTTPS URLs
    Replied by: JAMES DEPHILLIP II on 19-03-2013 08:24:35 PM
    I notice that the certs loaded for EMCC have a desription of Trust Certificate while the one I load from my PHP server shows as Signed Certificate. Any idea why would be and could that be causing the issue?

    Subject: RE: Phones accessing HTTPS URLs
    Replied by: JAMES DEPHILLIP II on 19-03-2013 09:20:32 PM
    I got it!!! The cert needs to be Version 3!

    Subject: RE: Phones accessing HTTPS URLs
    Replied by: JAMES DEPHILLIP II on 10-08-2013 01:39:03 PM
    It needs to be in the Tomcat trust store. Sorry for the late response haven't been keeping up on these forums.