[asterisk-users] unsolved: Re: solved: how to create a working certificate for using TLS?

[hwilmer]

On 7/6/19 10:40 AM, Michael Maier wrote:
> On 05.07.19 at 22:02 hw wrote:
>>
>> openssl verify -CAfile ca.pem asterisk.pem
>> asterisk.pem: OK
>>
>>
>> When I set tlsdontverifyserver=yes, it works (i. e. asterisk registers
>> to the SIP provider and there is no error message).  Otherwise I'm
>> getting the error message and asterisk does not register.
>>
>> Reading the comments in sip.conf.sample, I would assume that asterisk
>> can not verify the certificate of the SIP provider.  Yet
>>
>>
>> openssl s_client -connect secure.sip.easybell.de:5061
> 
> You know that you don't need an own certificate to connect via tls to the ISP?

No, I didn't know that.  However, there are local clients connecting to asterisk
using encryption, so I suppose my own certificate is required.

> To be able to verify the certificate of the ISP, asterisk has to know the local CA database. For CentOS 7, this is /etc/pki/tls/certs/ca-bundle.crt.

How did you know I'm doing this on Centos? :)

Setting 'tlscapath' to /etc/pki or to /etc/pki/ca-trust/source/ didn't seem to
make a difference, so I figured that this might be figured out automatically
since 'openssl s_client ...' apparently does figure it out automatically.
There is much figuring involved for the wanting of clear documentation ...

Now I've set 'tlscafile=/etc/pki/tls/certs/ca-bundle.crt' on the asterisk at
work, but that one didn't have issues with certificates after I made a new
one.  I'll try the same at home when I get back to see if it makes a difference.

Is 'tlscafile' the correct option for this?