[asterisk-users] Problem setting up ssl connection

Jonas Kellens jonas.kellens at telenet.be
Wed Oct 26 09:57:15 CDT 2016 

On 26-10-16 15:03, Dan Jenkins wrote:
>
>
> On Wed, Oct 26, 2016 at 1:46 PM, Jonas Kellens 
> <jonas.kellens at telenet.be <mailto:jonas.kellens at telenet.be>> wrote:
>
>     Hello
>
>
>     I keep getting the following error when trying to connect to the
>     Asterisk server using AMI :
>
>     $socket = fsockopen("tls://11.22.33.44
>     <http://11.22.33.44>","5039", $errno, $errstr, 5);
>
>     Erorr on CLI :
>
>     [Oct 26 14:38:19] ERROR[2992]: tcptls.c:609
>     handle_tcptls_connection: Problem setting up ssl connection:
>     error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>     [Oct 26 14:38:19] WARNING[2992]: tcptls.c:684
>     handle_tcptls_connection: FILE * open failed!
>
>     I have in sip.conf :
>
>     tlsenable=yes
>     tlsbindaddr=0.0.0.0
>
>     tlscertfile=/etc/asterisk/keys/asterisk.pem
>     tlsdontverifyserver=yes
>     tlscipher=ALL
>     ;tlsclientmethod=tlsv2
>
>     /etc/asterisk/keys :
>
>     -rw------- 1 root root 1,2K okt 26 14:25 asterisk.crt
>     -rw------- 1 root root  574 okt 26 14:24 asterisk.csr
>     -rw------- 1 root root  887 okt 26 14:24 asterisk.key
>     -rw------- 1 root root 2,1K okt 26 14:25 asterisk.pem
>     -rw------- 1 root root  160 okt 26 14:24 ca.cfg
>     -rw------- 1 root root 1,8K okt 26 14:24 ca.crt
>     -rw------- 1 root root 3,3K okt 26 14:24 ca.key
>     -rw------- 1 root root  123 okt 26 14:24 tmp.cfg
>
>
>     The webserver ( A ) from where I open the socket to
>     tls://11.22.33.44 <http://11.22.33.44> also has a self-signed
>     certificate.
>
>     This problem started when creating a new self-signed cert on
>     webserver A.
>
>
>
>
>     Any thoughts ?
>
>
>     Thanks !
>
>
>     Kind regards.
>
>
>     J.
>
>     --
>     _____________________________________________________________________
>     -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
>     Check out the new Asterisk community forum at:
>     https://community.asterisk.org/ <https://community.asterisk.org/>
>
>     New to Asterisk? Start here:
>     https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>     <https://wiki.asterisk.org/wiki/display/AST/Getting+Started>
>
>     asterisk-users mailing list
>     To UNSUBSCRIBE or update options visit:
>     http://lists.digium.com/mailman/listinfo/asterisk-users
>     <http://lists.digium.com/mailman/listinfo/asterisk-users>
>
>
> Jonas,
>
> You talk about sip.conf and setting your TLS cert there - but you're 
> trying to connect to the AMI over TLS - so you need to set this stuff 
> in manager.conf 
> (https://github.com/asterisk/asterisk/blob/master/configs/samples/manager.conf.sample) 
> - did you mean manager.conf ?
>
> The error says that it doesn't understand the Certificate Authority in 
> the cert. The box you're connecting from shouldn't affect anything so 
> the issue will be with the CA of the cert - usually you need to add 
> the CA to the cert to complete the chain.
>
> If this is a public box then I'd recommend just using LetsEncrypt - 
> many things don't like Self Signed Certs now
>
> Dan
>

Hello Dan

if it is indeed manager.conf that I need to edit then the problem is 
that I see no param : tlsdontverifyserver=yes

I don't know how to make the AMI ignore the self-signed certificate.




Kind regards

J.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20161026/86830daa/attachment.html>

More information about the asterisk-users mailing list