[asterisk-users] unsolved: Re: solved: how to create a working certificate for using TLS?

Michael Maier m1278468 at mailbox.org
Sat Jul 6 12:23:55 CDT 2019

On 06.07.19 at 12:16 hwilmer wrote:
> On 7/6/19 10:40 AM, Michael Maier wrote:
>> On 05.07.19 at 22:02 hw wrote:
>>> openssl verify -CAfile ca.pem asterisk.pem
>>> asterisk.pem: OK
>>> When I set tlsdontverifyserver=yes, it works (i. e. asterisk registers
>>> to the SIP provider and there is no error message).  Otherwise I'm
>>> getting the error message and asterisk does not register.
>>> Reading the comments in sip.conf.sample, I would assume that asterisk
>>> can not verify the certificate of the SIP provider.  Yet
>>> openssl s_client -connect secure.sip.easybell.de:5061

I'm using easybell via tls, too - but with pjsip - I had never any problem.

>> You know that you don't need an own certificate to connect via tls to the ISP?
> No, I didn't know that.  However, there are local clients connecting to asterisk
> using encryption, so I suppose my own certificate is required.

That's true - but why do you need encryption on your own LAN? Just for fun or are there any particular requirements?

>> To be able to verify the certificate of the ISP, asterisk has to know the local CA database. For CentOS 7, this is /etc/pki/tls/certs/ca-bundle.crt.
> How did you know I'm doing this on Centos? :)

This was just meant as an example - chance :-)

> Setting 'tlscapath' to /etc/pki or to /etc/pki/ca-trust/source/ didn't seem to

I'm sorry - I don't know how to handle ca bundles with chan_sip. With pjsip it's


in pjsip.transports.conf.


More information about the asterisk-users mailing list