[asterisk-users] res_calendar & LetsEncrypt
Greg Troxel
gdt at lexort.com
Tue Dec 24 08:08:58 CST 2019
Doug Lytle <support at drdos.info> writes:
> For a while now, I've had a small home Asterisk setup to connect to my
> Zimbra mail server's calendar. Making an entry on the calendar would
> cause Asterisk to schedule a wakeup call at the time of the calendar
> entry.
>
> The Zimbra mail server uses LetsEncrypt for the SSL Certs and renews
> every 60 days. On the Asterisk side of things, if I do not restart
> the Asterisk process, the logs get spammed with the below and the
> wakeup call never occurs:
>
> [Dec 24 07:48:46] WARNING[10679] res_calendar_caldav.c: Unknown
> response to CalDAV calendar calendar.name.here, request REPORT to
> /dav/username/Calendar: Server certificate changed: connection
> intercepted?
>
> Would this be considered a bug, or do I have something setup incorrectly?
>
> Asterisk version: 13.29.2
> OS: Debian GNU/Linux 7.11 (wheezy)
> Zimbra OSE 8.8.11 P4
My guess is bug.
Generally, one validates server certificates starting from a list of
acceptable configured CA certificates, called trust anchors.
Perhaps because people often used to use self-signed certicates (before
Let's Encrypt), and perhaps because of general paranoia (not a bad
thing), there is a notion of certificate pinning.
However, it strikes me that if implemented, the pinning would be
persistent.
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
Have you done anything in the asterisk config to control certificate
validation?
I would suggest reading the res_calendar_caldav sources to see if there
is some attempt to store certificates and compare.
More information about the asterisk-users
mailing list