<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 26-10-16 15:03, Dan Jenkins wrote:<br>
</div>
<blockquote
cite="mid:CAE89AU+X=9K6xtKE4=etAT_HCYaB7eGVw7NU9RmQ_-peTBBq8g@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Oct 26, 2016 at 1:46 PM,
Jonas Kellens <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:jonas.kellens@telenet.be" target="_blank">jonas.kellens@telenet.be</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"> <font face="Helvetica, Arial,
sans-serif">Hello<br>
<br>
<br>
I keep getting the following error when trying to
connect to the Asterisk server using AMI :<br>
<br>
$socket = fsockopen("tls://<a moz-do-not-send="true"
href="http://11.22.33.44" target="_blank">11.22.33.44</a>",<wbr>"5039",
$errno, $errstr, 5);<br>
<br>
Erorr on CLI :<br>
<br>
[Oct 26 14:38:19] ERROR[2992]: tcptls.c:609
handle_tcptls_connection: Problem setting up ssl
connection: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca<br>
[Oct 26 14:38:19] WARNING[2992]: tcptls.c:684
handle_tcptls_connection: FILE * open failed!<br>
<br>
I have in sip.conf :<br>
<br>
tlsenable=yes<br>
tlsbindaddr=0.0.0.0<br>
<br>
tlscertfile=/etc/asterisk/<wbr>keys/asterisk.pem<br>
tlsdontverifyserver=yes<br>
tlscipher=ALL<br>
;tlsclientmethod=tlsv2<br>
<br>
/etc/asterisk/keys :<br>
<br>
-rw------- 1 root root 1,2K okt 26 14:25 asterisk.crt<br>
-rw------- 1 root root 574 okt 26 14:24 asterisk.csr<br>
-rw------- 1 root root 887 okt 26 14:24 asterisk.key<br>
-rw------- 1 root root 2,1K okt 26 14:25 asterisk.pem<br>
-rw------- 1 root root 160 okt 26 14:24 ca.cfg<br>
-rw------- 1 root root 1,8K okt 26 14:24 ca.crt<br>
-rw------- 1 root root 3,3K okt 26 14:24 ca.key<br>
-rw------- 1 root root 123 okt 26 14:24 tmp.cfg<br>
<br>
<br>
The webserver ( A ) from where I open the socket to
tls://<a moz-do-not-send="true"
href="http://11.22.33.44" target="_blank">11.22.33.44</a>
also has a self-signed certificate.<br>
<br>
This problem started when creating a new self-signed
cert on webserver A.<br>
<br>
<br>
<br>
<br>
Any thoughts ?<br>
<br>
<br>
Thanks !<br>
<br>
<br>
Kind regards.<span class="gmail-HOEnZb"><font
color="#888888"><br>
<br>
<br>
J.<br>
</font></span></font> </div>
<br>
--<br>
______________________________<wbr>______________________________<wbr>_________<br>
-- Bandwidth and Colocation Provided by <a
moz-do-not-send="true" href="http://www.api-digital.com"
rel="noreferrer" target="_blank">http://www.api-digital.com</a>
--<br>
<br>
Check out the new Asterisk community forum at: <a
moz-do-not-send="true"
href="https://community.asterisk.org/" rel="noreferrer"
target="_blank">https://community.asterisk.<wbr>org/</a><br>
<br>
New to Asterisk? Start here:<br>
<a moz-do-not-send="true"
href="https://wiki.asterisk.org/wiki/display/AST/Getting+Started"
rel="noreferrer" target="_blank">https://wiki.asterisk.org/<wbr>wiki/display/AST/Getting+<wbr>Started</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a moz-do-not-send="true"
href="http://lists.digium.com/mailman/listinfo/asterisk-users"
rel="noreferrer" target="_blank">http://lists.digium.com/<wbr>mailman/listinfo/asterisk-<wbr>users</a></blockquote>
<div><br>
</div>
<div>Jonas,</div>
<div><br>
</div>
<div>You talk about sip.conf and setting your TLS cert there
- but you're trying to connect to the AMI over TLS - so
you need to set this stuff in manager.conf (<a
moz-do-not-send="true"
href="https://github.com/asterisk/asterisk/blob/master/configs/samples/manager.conf.sample">https://github.com/asterisk/asterisk/blob/master/configs/samples/manager.conf.sample</a>)
- did you mean manager.conf ? </div>
<div><br>
</div>
<div>The error says that it doesn't understand the
Certificate Authority in the cert. The box you're
connecting from shouldn't affect anything so the issue
will be with the CA of the cert - usually you need to add
the CA to the cert to complete the chain.</div>
<div><br>
</div>
<div>If this is a public box then I'd recommend just using
LetsEncrypt - many things don't like Self Signed Certs now</div>
<div><br>
</div>
<div>Dan</div>
</div>
<br>
</div>
</div>
</blockquote>
<font face="Helvetica, Arial, sans-serif"><br>
Hello Dan<br>
<br>
if it is indeed manager.conf that I need to edit then the problem
is that I see no param : tlsdontverifyserver=yes<br>
<br>
I don't know how to make the AMI ignore the self-signed
certificate.<br>
<br>
<br>
<br>
<br>
Kind regards<br>
<br>
J.<br>
</font><br>
</body>
</html>