[asterisk-users] unsolved: Re: solved: how to create a working certificate for using TLS?

hw hw at gc-24.de
Fri Jul 5 15:02:56 CDT 2019


On 7/5/19 9:32 PM, John Runyon wrote:
> On Fri, 5 Jul 2019 at 14:28, hw <hw at gc-24.de <mailto:hw at gc-24.de>> wrote:
> 
>     I thought about that and checked the configuration I've been using to
>     create the certificate, and I can't see anywhere that it would expire
>     earlier than after 3650 days.  Is there another way to check this?
> 
> openssl verify -CAfile ca.crt server.crt

openssl verify -CAfile ca.pem asterisk.pem
asterisk.pem: OK


When I set tlsdontverifyserver=yes, it works (i. e. asterisk registers
to the SIP provider and there is no error message).  Otherwise I'm
getting the error message and asterisk does not register.

Reading the comments in sip.conf.sample, I would assume that asterisk
can not verify the certificate of the SIP provider.  Yet


openssl s_client -connect secure.sip.easybell.de:5061


seems to verify the certificate just fine.  Previous tests seemed to
show the asterisk is trying to verify its own certificate instead, or
as well.

What exactly is asterisk trying to verify, and what fails the
verification?


Suspicious is this:


[Jul  5 12:48:00] NOTICE[7015]: chan_sip.c:30416 sip_poke_noanswer: Peer 
'aaa' is now UNREACHABLE!  Last qualify: 55
   == TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled
   == TLS/SSL certificate ok
[Jul  5 12:48:08] ERROR[1482]: tcptls.c:173 handle_tcptls_connection: 
Certificate did not verify: unable to get local issuer certificate


That's the point at which the certificate suddenly stopped working after
the SIP provider became unreachable.  Why?



More information about the asterisk-users mailing list