Asterisk CA certificate path error

I am using Asterisk 13.10.0 as a PBX and have an encrypted link to a SIP gateway server.
The TLS is setup when asterisk is not checking the server certs but this is not secure.
When I set tlsdontverifyserver=yes the link is setup.
If i set this to No then tls is not setup.

When i look at the full log I can see that it lloks like it is not happy with the calist.pem with the server cert authority trust chain.

[Apr 15 11:36:58] ERROR[2353] tcptls.c: TLS/SSL CA file(/etc/asterisk/keys/calist.pem)/path() error

The file path os correct in the sip.conf and teh file is owned by asterisk:asterisk
So what does the /path() refer to ?
I have been pulling my hair out on this for weeks now.

The CA cert is used on different applications, so i believe this to be a correctly formatted certificate

Newer versions of Asterisk will actually output the OpenSSL error message, and provide that information.

Changing Asterisk version is not an option for me unfortunately.
Any other suggestions ?

Then to answer your question, the message means that we called the OpenSSL function SSL_CTX_load_verify_locations with a file of “/etc/asterisk/keys/calist.pem” which did not return success. OpenSSL for some reason didn’t like the file or couldn’t access it for some reason.

Someone else may have experienced the same issue and narrowed it down, but I haven’t seen it or remember it.

Hi jcolp
is there any open ssl commands i coudl use to validate the certifcate or try and see what the issue may be that you can think of ?

Hi jcolp,

The CA list is 4 certficates in a stack. That is supported by asterisk isn’t it ?

We, ourselves, don’t examine the file at all. We pass the filename to OpenSSL using the API call I previously mentioned, and it does everything. To that end I don’t know what that API call will do with that. It might be fine, it might not be.

As for OpenSSL commands there are some, but I don’t have a cheat sheet or know them off the top of my head. I usually end up using Google and finding things to use.

Thanks for your help. Is there any way i can command line OpenSSL function SSL_CTX_load_verify_locations to try and debug further ?
The file is defintely in the location specifed, it is owned by asterisk and in the asterisk group.

I don’t know anything further about it.

Finally fixed this. Problem was with the permissions.
This came from a colleague so don’t ask me to explain any further than the problem was Asterisk couldn’t access the certs in the directory.

This is what they should be:

ls -lZd /etc/asterisk/keys/
drwxr-x—. asterisk asterisk system_u:object_r:asterisk_etc_t:s0 /etc/asterisk/keys/

And these are the commands to set them to the above:

chown -R asterisk.asterisk /etc/asterisk/keys/
chmod 750 /etc/asterisk/keys/
chcon -R -v -u system_u -r object_r -t asterisk_etc_t /etc/asterisk/keys/
Solved my problem

In practice, most people will turn off SELinux, rather than using chcon to set the right context. Machines running Asterisk generally aren’t multiuser, so don’t need discretionary security.