[asterisk-users] TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem>

Mon Jan 6 12:06:22 CST 2020

On Monday 06 January 2020 at 19:01:09, Olivier wrote:

> May I add I could successfully (if pjsip show transports has any meaning)
> add a PJSIP TLS-transport with:
> 
> [transport-tls]
> type=transport
> protocol=tls
> bind=0.0.0.0:5061
> cert_file=/etc/asterisk/keys/asterisk.crt
> priv_key_file=/etc/asterisk/keys/asterisk.key

So, that does indeed suggest that an absolute path + the .crt file instead of 
the .pem file might work...

> method=tlsv1
> 
> Le lun. 6 janv. 2020 à 18:33, Olivier <oza.4h07 at gmail.com> a écrit :
> > Hello,
> > 
> > On a newly re-installed Asterisk 16.7.0 on Debian Buster, I can't find a
> > way to enable HTTPS.
> > Asterisk is running as asterisk:asterisk:
> > 
> > asterisk 11097  0.3  6.7 741352 67984 ?        Ssl  17:53   0:06
> > /usr/sbin/asterisk -g -f -p -U asterisk
> > 
> > # cat /etc/asterisk/http.conf
> > [general]
> > servername=Asterisk
> > enabled=yes
> > bindaddr=0.0.0.0
> > bindport=8088
> > tlsenable=yes
> > tlsbindaddr=0.0.0.0:8089
> > tlscertfile=/etc/asterisk/keys/asterisk.pem
> > ;tlsprivatekey=keys/asterisk.key
> > 
> > # ls -lR /etc/asterisk/keys
> > /etc/asterisk/keys:
> > total 32
> > -rw-rw-r-- 1 asterisk asterisk 1229 janv.  6 16:00 asterisk.crt
> > -rw-rw-r-- 1 asterisk asterisk  586 janv.  6 15:59 asterisk.csr
> > -rw-rw-r-- 1 asterisk asterisk  887 janv.  6 15:59 asterisk.key
> > -rw-rw-r-- 1 asterisk asterisk 2116 janv.  6 16:00 asterisk.pem
> > -rw-rw-r-- 1 asterisk asterisk  158 janv.  6 15:59 ca.cfg
> > -rw-rw-r-- 1 asterisk asterisk 1773 janv.  6 15:59 ca.crt
> > -rw-rw-r-- 1 asterisk asterisk 3311 janv.  6 15:59 ca.key
> > -rw-rw-r-- 1 asterisk asterisk  132 janv.  6 15:59 tmp.cfg
> > 
> > # grep TLS /var/log/asterisk/full | tail -1
> > [Jan  6 18:24:45] ERROR[11221] tcptls.c: TLS/SSL error loading cert file.
> > </etc/asterisk/keys/asterisk.pem>
> > 
> > # su - asterisk --shell /bin/sh --command 'cat
> > /etc/asterisk/keys/asterisk.pem'
> > -----BEGIN RSA PRIVATE KEY-----
> > MIICXAIBAAKBgQCxllxfOR9sFwyKiKPZErUcBF1zlwTVZ9XvemA/8yQY7aIVw2ce
> > ...
> > RE3X5iJqFIRupoIQZQJBAJnDX8dCQbqLvmAV6/Ubiz0XHjHzLEkhMKtF/ksbgou1
> > zykmu2rlUbnZ+DPFj/lw9WH7DaIxtogZ7qKSp0dd95g=
> > -----END RSA PRIVATE KEY-----
> > -----BEGIN CERTIFICATE-----
> > MIIDXzCCAUcCAQEwDQYJKoZIhvcNAQELBQAwNTEcMBoGA1UEAwwTQXN0ZXJpc2sg
> > ...
> > XkVjfneCBgllQhLrnb9oUBuHQCy3qtlPkXpXfAtIsodnoV1mrpI3+iKH7xWc4AtQ
> > Rbrt
> > -----END CERTIFICATE-----
> > 
> > 
> > Any clue ?
> > 
> > Best regards

-- 
I can tell you I wish those people just would be quiet. It would be best for 
the world. That's not going to happen, so we have to work in the right fashion 
with these security researchers.

 - Steve Ballmer, at Microsoft's Worldwide Partner Conference in New Orleans, 
October 2003
 - http://news.microsoft.com/speeches/steve-ballmer-speech-transcript-
microsoft-worldwide-partner-conference-2003/

                                                   Please reply to the list;
                                                         please *don't* CC me.