File http://downloads.snom.net/documentation/certs.crt is for SHA1 certificates, and the M215 default certificate is SHA2. Your HTTPS server should trust the Snom SHA2 root certificate (see http://wiki.snom.com/Category:HowTo:TLS#Snom_Root_CA --> Snom root CA (sha2))
Here is my apache configuration as an example:
SSLCACertificateFile "/etc/ssl/crt/ca-256.crt" ---------> File /etc/ssl/crt/ca-256.crt was downloaded from link http://downloads.snom.net/documentation/ca-256.crt.
I hope this helps.
Thank you Catalina for trying to help.
I downloaded and configured SHA2 certificate also on server side, but I am still not able to get M215 phones to verify.
Here is my apache configuration:
SSLProtocol all -SSLv2
And here is an error, which server gives during handshake:
[ssl:info] SSL Library Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (SSL alert number 48)
Forgot to mention that
I am not sure if you can add several CA files by using parameter SSLCACertificateFile. Can you try to leave only one line?
(assuming that /etc/ssl/certs/snom_ca-256.crt contains the same file as http://downloads.snom.net/documentation/ca-256.crt)
In your example you have some additional lines that could also affect this so I would also suggest to remove all the other lines and try the ones that worked for me meaning like this (just to exclude other problems):
we're having the same problem, using the 256 certificate as you mentioned unfortunately does not work. We slimmed down our configuration to the most basic stuff that Catalina mentioned but without any luck.
this is what we see in the webserver logs:
[Fri Nov 09 13:50:33.388903 2018] [ssl:info] [pid 10:tid 139730239294184] [client 172.17.0.1:34864] AH02008: SSL library error 1 in handshake (server 172.17.0.3:9443) [Fri Nov 09 13:50:33.388979 2018] [ssl:info] [pid 10:tid 139730239294184] SSL Library Error: error:14035418:SSL routines:ACCEPT_SR_CERT:tlsv1 alert unknown ca (SSL alert number 48)
One more problem that can happen is that the M200 rejects the server certificate of your HTTPS server. For example if the HTTPS server has a self-signed certificate or a certificate signed by an unknown CA. You can create a PCAP trace on your HTTP server (with tcpdump for example) or on the M200 (under Servicing -> "Network Trace") and see who sends the TLS alert (the M200 or the server).
If the M200 is sending the TLS alert then it could be that the M200 is rejecting the server certificate. In this case, on the M200 you can add the server certificate to trust under Servicing -> Certificates -> Trusted Certificates. The uploaded certificate must be in pem format.
If the server is sending the TLS alert then it might be that it the server is rejecting the client certificate of the M200. In this case I would recommend to check with the customer support for your HTTP server.
I agree that option "Only accept trusted certificates" seems to not be applied in this case. I opened a bug for this (bugID VTECHDEV-88).
It is possible to automatically provision the certificate. You could have an intermediary configuration file in which you could provision the certificate first, using http (not https). The initial provisioning file would look something like this:
file.certificate.trusted.url = http://HTTP_SERVER_IP/cert1.pem <------------------------ link to the certificate
provisioning.server_address = https://HTTP_SERVER_IP/provisioningFile.cfg <------------------------ link to the secure https provisioning file
After fetching the certificate automatically, the M200 would change the provisioning link to https://HTTP_SERVER_IP/provisioningFile.cfg