Project

General

Profile

Problème installation greffons Yealink

Added by Damien VARICLIER 5 months ago

Bonjour à tous !

Depuis plusieurs jours je tente de résoudre un problème avec l'installation de greffons.

J'ai en source [[[http://provd.xivo.solutions/plugins/2/stable]]] et lorsque je clique sur installer le greffon, ça marche pour la première partie.
Ensuite, lorsque je suis dans la page de la liste des greffons spécifiques aux modèles et que je clique sur le +, un message d'erreur apparait comme par exemple :

T31x-fw a rencontré une erreur durant l'installation

Dans le xivo-provd.log, j'ai des informations plus précises :

(xivo_fetchfw.download): URLError while downloading 'http://support.yealink.com/forward2download?path=ZIjHOJbWuW/DFrGTLnGyppagPXFxrNqakrENfB5fHR5KuAAyPHwjbhrXlUlgDdkWKxrowL9plusSymbolEf6BhplusSymbolvk9DqQP7XtLVotQ3FfAgTqbpYrjwhVM5pqjTsLmEYglF6EmB28FCLWhbplusSymbolDcWsWq33plusSymbolU46ZYz9AzOyJ8E1m': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)>
2022-07-01 09:13:31,614 [313698] (INFO) (provd.plugins): Error while installating plugin-package T31x-fw: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)>

J'ai forcé la mise à jour de tous les certificats qui se trouvent dans /etc/ssl/certs et dans /usr/share/ca-certificates/ et dans ainsi que procédé à l'installation directement de la chaine de certification de Yealink mais pas mieux.

Avec test de connexion en CURL, ça ne passe pas.

curl -iV https://support.yealink.com
*   Trying 35.180.104.164:443...
* Connected to support.yealink.com (35.180.104.164) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

En OpenSSL pas mieux avec la commande suivante (erreur 21)

openssl s_client -connect support.yealink.com:443
CONNECTED(00000003)
depth=0 C = CN, ST = \E7\A6\8F\E5\BB\BA\E7\9C\81, L = \E5\8E\A6\E9\97\A8\E5\B8\82, O = "Yealink (Xiamen) Network Technology Co., Ltd.", CN = *.yealink.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CN, ST = \E7\A6\8F\E5\BB\BA\E7\9C\81, L = \E5\8E\A6\E9\97\A8\E5\B8\82, O = "Yealink (Xiamen) Network Technology Co., Ltd.", CN = *.yealink.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = CN, ST = \E7\A6\8F\E5\BB\BA\E7\9C\81, L = \E5\8E\A6\E9\97\A8\E5\B8\82, O = "Yealink (Xiamen) Network Technology Co., Ltd.", CN = *.yealink.com
verify return:1
---
Certificate chain
 0 s:C = CN, ST = \E7\A6\8F\E5\BB\BA\E7\9C\81, L = \E5\8E\A6\E9\97\A8\E5\B8\82, O = "Yealink (Xiamen) Network Technology Co., Ltd.", CN = *.yealink.com
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust CN RSA CA G1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHwTCCBqmgAwIBAgIQD2vHfM2mpntDadu5aGor0DANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR4wHAYDVQQDExVHZW9UcnVzdCBDTiBSU0EgQ0EgRzEw
HhcNMjExMjA4MDAwMDAwWhcNMjMwMTA4MjM1OTU5WjCBhTELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCeemj+W7uuecgTESMBAGA1UEBwwJ5Y6m6Zeo5biCMTYwNAYDVQQK
Ey1ZZWFsaW5rIChYaWFtZW4pIE5ldHdvcmsgVGVjaG5vbG9neSBDby4sIEx0ZC4x
FjAUBgNVBAMMDSoueWVhbGluay5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQDEh+DP9FzUVhjSLr17rUzVOp1qZx66szouN5k72dk5JcLCQyPwe+IN
KuAGvaLYKLMznCEJxFXNQDpe4Y4lv1cg/6Ide9iDlRgLQm4yW9v8ZYPaloKLS/Gz
0UbbWYAApqMTn1lR3+ZdfdUIzQ6vvhOhTEnLRrIjwgJsY0UkC1v1JxZA/uqfwYEV
YgMlBFgaF6Bug8pHuEbER3eSeLdJFNSwQnfSBZn6eac0Yl6A2ZOeUpOorLAovmnA
esEdJTe1wPEmnBTgmgIEpqNQzI9EE8WbHGUyDBHimDqoDjS9gkW5PSrnHSwtCeOd
1lbom+AkkYrPt9L/P62RZ71cIKj+ros4qcjpmFYBWVfAEDHfc9o7k8UG4RTwp7Uk
qhu7+JC17OUKpqbe2qHkqJH1vzg/53PM/SLxcVGN1mZIzQ3wHADeoIpuYLH1o5oq
4k/oa7YdrhIH2meU0mxILJNl81cD+ZoRWVvRtMpUSaO+9zClguVOwp2E3Ug0KU1D
9ygPuAY5Hw1Q7CcWXHM7FISnHFmo+mX03M3IlyxJI7vKirsPNokYyKHbL/ytNxq5
zjD4R30kURx5J+E/AUiyWK5os54l43eAVpgcU7tRLAkbG6FFdi+40tLp8G0k9J7v
LxLtgYPF9US0FxCcJcwwyY1vCD5xIIEI9rGhd6lYe771kzS2IPS+BwIDAQABo4ID
UDCCA0wwHwYDVR0jBBgwFoAUkZ9eMRWuEJ+tYMH3wcyqSDQvDCYwHQYDVR0OBBYE
FOkGi22ZqzknVoc4NQR873A21abUMCUGA1UdEQQeMByCDSoueWVhbGluay5jb22C
C3llYWxpbmsuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNl
cnQuY29tL0dlb1RydXN0Q05SU0FDQUcxLmNybDA0oDKgMIYuaHR0cDovL2NybDQu
ZGlnaWNlcnQuY29tL0dlb1RydXN0Q05SU0FDQUcxLmNybDA+BgNVHSAENzA1MDMG
BmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9D
UFMwbwYIKwYBBQUHAQEEYzBhMCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC5kY29j
c3AuY24wPAYIKwYBBQUHMAKGMGh0dHA6Ly9jcmwuZGlnaWNlcnQtY24uY29tL0dl
b1RydXN0Q05SU0FDQUcxLmNydDAMBgNVHRMBAf8EAjAAMIIBfAYKKwYBBAHWeQIE
AgSCAWwEggFoAWYAdQCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAA
AX2Yr06aAAAEAwBGMEQCID6d0g4UZZuYnC4qsigZwD9UpKeCBbW0qbEbD8Naw+0+
AiANBQAB2I+9xgByccZhXN7yMDpFX9pQAYaf/2wU2n1HCwB2ADXPGRu/sWxXvw+t
TG1Cy7u2JyAmUeo/4SrvqAPDO9ZMAAABfZivToYAAAQDAEcwRQIhAN6OIb8v6Z6l
qJg79irnOAVza7DLwBNkpkw/DetitEgMAiAOBhnQip7u9os/PuPXEhWJxUH7iWAt
9BPMHxSWSEsbiwB1ALc++yTfnE26dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAAB
fZivTpMAAAQDAEYwRAIganAl8b43e0NDgrUfCnFGAiABPvTHyYQFw6HNg1vrNo0C
IHqygYxZCi9/fvibSeqChccvFuNwLsb9748XwAMqHlOVMA0GCSqGSIb3DQEBCwUA
A4IBAQAC2B2mN9VbSkEeyQGft4u4/6/Q5St1Gx9+3Vj1S/xO9FXXoYl53BXAO6NC
mASy/tGb/TC/jmJTGN8vpMkxxiQZ2Ue/lh+LH6zqnCBFcPwyKaVE8Xt4VRwyhWAP
O2k3a56hCfl+MqJZfO6iGkISv8LGfz+AdtbB31lE9re1xxXFGVej/XYN1Mur1Q0u
fzB81N3oN3b1kw76LbeTKW5ewIILsal18KxdjRoGT3x+AW6tfJARAQjTqhOpugJH
d/0bdoYj+utQKxRsWVDoYwbRZp4YcRR3GBO45/HfAQJwJNX+pmeBquykT2c2xKxi
FxTcK85ebgiNg3qBgTlg3dtTF+1s
-----END CERTIFICATE-----
subject=C = CN, ST = \E7\A6\8F\E5\BB\BA\E7\9C\81, L = \E5\8E\A6\E9\97\A8\E5\B8\82, O = "Yealink (Xiamen) Network Technology Co., Ltd.", CN = *.yealink.com

issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust CN RSA CA G1

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2922 bytes and written 404 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E728FF773E0843FA8BDF3D13F6D894C554221986A7B2F23890DDF204EB06CAA1
    Session-ID-ctx:
    Master-Key: 2D8312AB946D6EC5C9819A5C2E0215E15BCF687DE6B3218F5E11E6CE352D912CC80DD964DD245B31061AA511F6D6F0CC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 7f 0d 0f e3 75 3e 76 60-dc 53 c3 73 1a 0d 42 48   ....u>v`.S.s..BH
    0010 - 01 e3 29 6a ab b4 98 14-38 1b 46 38 f0 47 f0 ad   ..)j....8.F8.G..
    0020 - a9 f5 ef f9 52 93 31 bd-92 24 f0 72 dd 79 8d 88   ....R.1..$.r.y..
    0030 - 31 e6 fb 16 ec de 50 b5-50 d4 af a6 89 b1 bf 8f   1.....P.P.......
    0040 - 77 e1 c4 86 f7 30 6c 30-87 4d f8 9f 99 97 cd 47   w....0l0.M.....G
    0050 - 82 d3 b0 3c b3 e7 9f 15-d1 c4 f2 0f fe 5c 8a a6   ...<.........\..
    0060 - f1 d7 8a 9d da 8f cf 46-fa a6 ec 17 53 97 ba 90   .......F....S...
    0070 - a4 fa 4b 0d c4 ca df d1-28 bb 68 3f 2e 78 00 cc   ..K.....(.h?.x..
    0080 - ff 8a af 69 35 25 df 94-67 b0 3e 3e a8 54 6b dc   ...i5%..g.>>.Tk.
    0090 - 95 7e 69 cb a8 11 cd d9-dd c5 c9 f9 27 f6 aa bd   .~i.........'...
    00a0 - 44 dc 3e 19 2c 32 c6 4f-75 94 6e 87 b5 2e 2b 8a   D.>.,2.Ou.n...+.
    00b0 - 50 80 5b 6e 91 a9 b8 6e-cc d7 33 06 37 96 0b 28   P.[n...n..3.7..(
    00c0 - 1d b0 61 0c cd 47 ea da-c4 85 a6 5d 11 50 78 a8   ..a..G.....].Px.

    Start Time: 1656660418
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
---

J'ai tenté un wget sur le lien direct du firmware, ça ne marche pas mieux non plus.

wget http://support.yealink.com/forward2download?path=ZIjHOJbWuW/DFrGTLnGyppagPXFxrNqakrENfB5fHR5KuAAyPHwjbhrXlUlgDdkWKxrowL9plusSymbolEf6BhplusSymbolvk9DqQP7XtLVotQ3FfAgTqbpYrjwhVM5pqjTsLmEYglF6EmB28FCLWhbplusSymbolDcWsWq33plusSymbolU46ZYz9AzOyJ8E1m
--2022-07-01 09:27:51--  http://support.yealink.com/forward2download?path=ZIjHOJbWuW/DFrGTLnGyppagPXFxrNqakrENfB5fHR5KuAAyPHwjbhrXlUlgDdkWKxrowL9plusSymbolEf6BhplusSymbolvk9DqQP7XtLVotQ3FfAgTqbpYrjwhVM5pqjTsLmEYglF6EmB28FCLWhbplusSymbolDcWsWq33plusSymbolU46ZYz9AzOyJ8E1m
Resolving support.yealink.com (support.yealink.com)... 35.180.104.164
Connecting to support.yealink.com (support.yealink.com)|35.180.104.164|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://support.yealink.com/forward2download?path=ZIjHOJbWuW/DFrGTLnGyppagPXFxrNqakrENfB5fHR5KuAAyPHwjbhrXlUlgDdkWKxrowL9plusSymbolEf6BhplusSymbolvk9DqQP7XtLVotQ3FfAgTqbpYrjwhVM5pqjTsLmEYglF6EmB28FCLWhbplusSymbolDcWsWq33plusSymbolU46ZYz9AzOyJ8E1m [following]
--2022-07-01 09:27:51--  https://support.yealink.com/forward2download?path=ZIjHOJbWuW/DFrGTLnGyppagPXFxrNqakrENfB5fHR5KuAAyPHwjbhrXlUlgDdkWKxrowL9plusSymbolEf6BhplusSymbolvk9DqQP7XtLVotQ3FfAgTqbpYrjwhVM5pqjTsLmEYglF6EmB28FCLWhbplusSymbolDcWsWq33plusSymbolU46ZYz9AzOyJ8E1m
Connecting to support.yealink.com (support.yealink.com)|35.180.104.164|:443... connected.
ERROR: The certificate of ‘support.yealink.com’ is not trusted.
ERROR: The certificate of ‘support.yealink.com’ doesn't have a known issuer.

Il y a clairement un problème avec le certificat de Yealink quand on passe par le shell alors que par le navigateur aucun problème :/


Replies (4)

RE: Problème installation greffons Yealink - Added by Damien VARICLIER 5 months ago

Précision de l'installation :

ISO Xivo Izar (2022.05.05)
Lors du xivo-upgrade j'ai bien : installed version : 2022.05.07

RE: Problème installation greffons Yealink - Added by Laurent MEILLER 5 months ago

Bonjour en effet, Yealink a modifié ses conditions de téléchargement... et disons que ce n'est pas pour nous simplifier la tâche....

Voici en tout cas un moyen de contournement :

Workaround

Add GeoTrust CN RSA CA G1 certificate

  1. Add certificate

    mkdir -p /usr/local/share/ca-certificates/
    echo "-----BEGIN CERTIFICATE-----
    MIIFGjCCBAKgAwIBAgIQCgRw0Ja8ihLIkKbfgm7sSzANBgkqhkiG9w0BAQsFADBh
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
    QTAeFw0xOTA2MjAxMjI3NThaFw0yOTA2MjAxMjI3NThaMF8xCzAJBgNVBAYTAlVT
    MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
    b20xHjAcBgNVBAMTFUdlb1RydXN0IENOIFJTQSBDQSBHMTCCASIwDQYJKoZIhvcN
    AQEBBQADggEPADCCAQoCggEBALFJ+j1KeZVG4jzgQob23lQ8PJUNhY31ufZihuUx
    hYc6HSU4Lw0fxfA43a9DpJl74M3E6F1ZRBOfJ+dWnaiyYD0PxRIQd4wJisti4Uad
    vz61IYY/oQ/Elxk/X7GFDquYuxCSyBdHtTVMXCxFSvQ2C/7jWZFDfGGKKNoQSiJy
    wDe8iiHbUOakLMmXmOTZyWJnFdR/TH5YNTiMKCNUPHAleG4IigGxDyL/gbwrdDNi
    bDA4lUNhD0xNvPjQ8BNKqm5HWDvirUuHdC+4hpi0GJO34O3iiRV16YmWTuVFNboU
    LDZ0+PQtctJnatpuZKPGyKX6jCpPvzzPw/EhNDlpEdrYHZMCAwEAAaOCAc4wggHK
    MB0GA1UdDgQWBBSRn14xFa4Qn61gwffBzKpINC8MJjAfBgNVHSMEGDAWgBQD3lA1
    VtFMu2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYB
    BQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wMQYIKwYBBQUHAQEEJTAj
    MCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC5kY29jc3AuY24wRAYDVR0fBD0wOzA5
    oDegNYYzaHR0cDovL2NybC5kaWdpY2VydC1jbi5jb20vRGlnaUNlcnRHbG9iYWxS
    b290Q0EuY3JsMIHOBgNVHSAEgcYwgcMwgcAGBFUdIAAwgbcwKAYIKwYBBQUHAgEW
    HGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgYoGCCsGAQUFBwICMH4MfEFu
    eSB1c2Ugb2YgdGhpcyBDZXJ0aWZpY2F0ZSBjb25zdGl0dXRlcyBhY2NlcHRhbmNl
    IG9mIHRoZSBSZWx5aW5nIFBhcnR5IEFncmVlbWVudCBsb2NhdGVkIGF0IGh0dHBz
    Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9ycGEtdWEwDQYJKoZIhvcNAQELBQADggEBABfg
    eXrxIrtlixBv+KMDeqKxtNJbZiLDzJBkGCd4HI63X5eS6BElJBn6mI9eYVrr7qOL
    Tp7WiO02Sf1Yrpaz/ePSjZ684o89UAGpxOfbgVSMvo/a07n/220jUWLxzaJhQNLu
    lACXwwWsxYf8twP8glkoIHnUUNTlhsyyl1ZzvVC4bDpI4hC6QkJGync1MNqYSMj8
    tZbhQNw3HdSmcTO0Nc/J/pK2VZc6fFbKBgspmzdHc6jMKG2t4lisXEysS3wPcg0a
    Nfr1Odl5+myh3MnMK08f6pTXvduLz+QZiIh8IYL+Z6QWgTZ9e2jnV8juumX1I8Ge
    7cZdtNnTCB8hFfwGLUA=
    -----END CERTIFICATE-----" > /usr/local/share/ca-certificates/geotrust_cn_rsa_ca_g1.crt
    
  2. Update the certificates

    update-ca-certificates
    

Install fw manually

Example for T31:

  1. Go to plugin dir
cd /var/lib/xivo-provd/plugins/xivo-yealink-v85/
  1. Download with wget (take URL in pkg/pkg.db) and download it in var/cache dir with a name like my-firmware
wget --no-check-certificate "http://support.yealink.com/forward2download?path=ZIjHOJbWuW/DFrGTLnGyppagPXFxrNqakrENfB5fHR5KuAAyPHwjbhrXlUlgDdkWKxrowL9plusSymbolEf6BhplusSymbolvk9DqQP7XtLVotQ3FfAgTqbpYrjwhVM5pqjTsLmEYglF6EmB28FCLWhbplusSymbolDcWsWq33plusSymbolU46ZYz9AzOyJ8E1m" -O var/cache/my-firmware
  1. Edit pkg/pkg.db and add the key filename: my-firmware in the correct section
  2. Restart provd
  3. In Webi download the firwmare

RE: Problème installation greffons Yealink - Added by Damien VARICLIER 5 months ago

Bonjour,

Je vous remercie pour cette solution.

J'ai tenté par curiosité d'installer uniquement le certificat et depuis l'interface web relancer le téléchargement des firmware, et ça a fonctionné du
premier coup.

Pour le coup Yealink n'a malheureusement pas contribué à faciliter les choses :/

A tout hasard, est-il prévu un plugin pour les W90 et W59R ?

D'avance merci à vous et belle journée !

Damien.

RE: Problème installation greffons Yealink - Added by Laurent MEILLER 4 months ago

Bonjour, non je n'ai pas du tout de visibilité pour ce qui est des plugins, ils sont fait de plus en plus à la demande (et facturé en ce sens). Coté produit nous migrons de plus en plus vers une approche full Webrtc.

Cependant coté opération, il y' aune tentative de création de plugin "générique" pour les postes afin de pouvoir au moins profiter des fonctionnalité de base sans s'aventurer dans les fonctionnalités complexes du poste. Mais là encore pas de date précise.

    (1-4/4)
    Add picture from clipboard (Maximum size: 147 MB)