Stuck on a recurring 403 Forbidden error when our Genesys Cloud Edge BYOC SIP trunks attempt to re-register following the latest platform patch deployment. The logs indicate a mismatch in the authentication challenge response, specifically around the Authorization header construction during the initial REGISTER request.
The environment is running on the London region, and we are using the default SIP signaling flow. The error occurs immediately after the 401 Unauthorized challenge is issued by the Genesys edge. The subsequent REGISTER request, which includes the calculated Response digest, is being rejected with 403. We have verified the shared secret and SIP URI configuration in the Genesys admin console, and they match the PBX side exactly.
Interestingly, this issue only manifests on trunks configured with TLS 1.3. Trunks using TLS 1.2 register without issue. We suspect a change in how the Genesys Edge handles the cnonce or opaque values in the digest authentication for newer TLS versions.
Has anyone encountered similar digest authentication failures post-patch? We have reviewed the SIP Trunk Configuration Guide but found no mention of TLS version-specific digest changes. Any insights into the expected qop values or nc counter behavior would be appreciated.
check your edge certificate chain again. the 403 usually means the edge is rejecting the full chain, not just the leaf cert. in my recent load tests with jmeter, i saw similar 403s when the intermediate certs were missing from the bundle. ensure your ssl_cert_file points to the correct ca-bundle.crt in your config. also, check if the sip trunk auth header is using the right realm. sometimes the patch changes the expected realm string. if you are using a custom flask wrapper for the edge, make sure the request parser handles the new auth challenge format. i had to flatten the json payload in a similar case to avoid a 400, but here it is likely a cert issue. try adding the intermediate certs to your trust store and re-register. if it persists, check the edge logs for specific validation errors.
resource "genesyscloud_sip_trunk" "main" {
auth_type = "digest"
realm = "genesys" # Patch likely updated this default
}
This is caused by the realm string mismatch in the digest auth flow post-patch. The edge expects the new default realm, so hardcode it in your IaC to stop the 403s.
Ah, this is a known issue… i’ve been looking at the digest auth flow for my python scripts and it seems the realm change is definitely the culprit. the documentation wasn’t very clear on this update, but hardcoding the realm in the terraform block seems to fix the immediate registration failure. it’s a bit of a surprise that the default changed without a clearer warning in the release notes.
i tried applying this to my local test environment using the genesyscloud_sip_trunk resource. the 403 error stopped appearing as soon as i added realm = "genesys". it feels a bit fragile to rely on a hardcoded string like this, but it works for now. i’m still getting some weird oauth2 errors with the python sdk when trying to query the trunk status afterwards, but at least the sip side is connecting.
please let me know if this breaks anything else in your setup. i’m not sure if there are side effects with the call routing or quality metrics since i only have a small dev tenant to test on. also, does anyone know if the realm name might change again in the next patch? it would be nice to have a more dynamic way to handle this instead of updating our IaC every time.
You might want to look at the realm config. 
{
"realm": "genesys"
}