[asterisk-users] unsolved: Re: solved: how to create a working certificate for using TLS?
hw at gc-24.de
Sat Jul 6 05:16:53 CDT 2019
On 7/6/19 10:40 AM, Michael Maier wrote:
> On 05.07.19 at 22:02 hw wrote:
>> openssl verify -CAfile ca.pem asterisk.pem
>> asterisk.pem: OK
>> When I set tlsdontverifyserver=yes, it works (i. e. asterisk registers
>> to the SIP provider and there is no error message). Otherwise I'm
>> getting the error message and asterisk does not register.
>> Reading the comments in sip.conf.sample, I would assume that asterisk
>> can not verify the certificate of the SIP provider. Yet
>> openssl s_client -connect secure.sip.easybell.de:5061
> You know that you don't need an own certificate to connect via tls to the ISP?
No, I didn't know that. However, there are local clients connecting to asterisk
using encryption, so I suppose my own certificate is required.
> To be able to verify the certificate of the ISP, asterisk has to know the local CA database. For CentOS 7, this is /etc/pki/tls/certs/ca-bundle.crt.
How did you know I'm doing this on Centos? :)
Setting 'tlscapath' to /etc/pki or to /etc/pki/ca-trust/source/ didn't seem to
make a difference, so I figured that this might be figured out automatically
since 'openssl s_client ...' apparently does figure it out automatically.
There is much figuring involved for the wanting of clear documentation ...
Now I've set 'tlscafile=/etc/pki/tls/certs/ca-bundle.crt' on the asterisk at
work, but that one didn't have issues with certificates after I made a new
one. I'll try the same at home when I get back to see if it makes a difference.
Is 'tlscafile' the correct option for this?
More information about the asterisk-users