<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small">Thanks Stefan for the pointer.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">There isn't a /etc/ssl/openssl.cnf on the Centos7 box. There is a /etc/pki/tls/openssl.cnf, but there's no MinProtocol or CipherString defined there. I installed corebot (for Letsencrypt auto renewal) thru snap. The openssl.cnf that comes with snap (under /var/lib/snapd/snap/core/current/etc/ssl) is pretty similar to the one under /etc/pki/tls, in both lacking MinProtocol and CipherString definitions.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default"><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">[root@voip1 ~]# openssl version</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">OpenSSL 1.0.2k-fips 26 Jan 2017</font></span></p></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">if it helps with anything.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"> Thanks,</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">--Ruisheng</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 29, 2021 at 5:55 AM Stefan Tichy <<a href="mailto:asterisk3@pi4tel.de">asterisk3@pi4tel.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">On Tue, Jan 26, 2021 at 10:12:22AM -1000, Ruisheng Peng wrote:<br>
<br>
> The self-sign asterisk.crt:<br>
<br>
I saved that file in "x.crt".<br>
<br>
openssl x509 -in x.crt -noout -text<br>
<br>
....<br>
RSA Public-Key: (1024 bit)<br>
....<br>
<br>
<br>
<br>
> and Letsencrypt cert.pem:<br>
<br>
I saved that file in "y.crt".<br>
<br>
openssl x509 -in y.crt -noout -enddate<br>
notAfter=Jan 29 01:24:25 2021 GMT<br>
<br>
<br>
> There were a few mentions of this problem on the web, and one said changing<br>
> the security mode of the certs to 755 fixed his problem.<br>
<br>
That makes no sense.<br>
<br>
<br>
<br>
Which version of openssl ist used on that CentOS7 box ?<br>
<br>
In "/etc/ssl/openssl.cnf" you find something like this:<br>
<br>
MinProtocol = TLSv1.2<br>
CipherString = DEFAULT@SECLEVEL=2<br>
<br>
You could set the level to "1" or even to "0" and restart Asterisk.<br>
<br>
<br>
-- <br>
Stefan Tichy<br>
<br>
-- <br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
<br>
Check out the new Asterisk community forum at: <a href="https://community.asterisk.org/" rel="noreferrer" target="_blank">https://community.asterisk.org/</a><br>
<br>
New to Asterisk? Start here:<br>
<a href="https://wiki.asterisk.org/wiki/display/AST/Getting+Started" rel="noreferrer" target="_blank">https://wiki.asterisk.org/wiki/display/AST/Getting+Started</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" rel="noreferrer" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
<br>
</blockquote></div>