Asterisk ssl error with self assigned certificate

gatomalandr0 · October 29, 2021, 4:14pm

Hello, im trying to setup asterisk ssl just for local test and its being a nightmare…
I followed this tutorial: Configuring Asterisk for WebRTC Clients - Asterisk Project - Asterisk Project Wiki

But i dont understand why i keep having this erros:
[Oct 29 17:10:13] ERROR[48723]: iostream.c:647 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Oct 29 17:10:13] ERROR[48723]: tcptls.c:179 handle_tcptls_connection: Unable to set up ssl connection with peer ‘192.168.1.22:49282’
[Oct 29 17:10:13] ERROR[48723]: iostream.c:552 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Oct 29 17:10:13] ERROR[48724]: iostream.c:647 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Oct 29 17:10:13] ERROR[48724]: tcptls.c:179 handle_tcptls_connection: Unable to set up ssl connection with peer ‘192.168.1.22:64554’
[Oct 29 17:10:13] ERROR[48724]: iostream.c:552 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error

I already tried to use this command to check what is wrong
openssl s_client -connect 192.168.1.30:8089
and the error that gives me is:
Can’t use SSL_get_servername
depth=0 CN = 192.168.1.30, O = 192.168.1.30
verify error:num=20:unable to get local issuer certificate

Asterisk current version 18.

gatomalandr0 · October 29, 2021, 4:22pm

Aditional info:
when i try to connect to https://192.168.1.30:8089/ws
opera browser answer me this:
Issuer: Asterisk Private CA

Expires on: 29/10/2022

Current date: 29/10/2021

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIID1zCCAb8CAQEwDQYJKoZIhvcNAQELBQAwNTEcMBoGA1UEAwwTQXN0ZXJpc2sg
UHJpdmF0ZSBDQTEVMBMGA1UECgwMMTkyLjE2OC4xLjMwMB4XDTIxMTAyOTE1MzIx
N1oXDTIyMTAyOTE1MzIxN1owLjEVMBMGA1UEAwwMMTkyLjE2OC4xLjMwMRUwEwYD
VQQKDAwxOTIuMTY4LjEuMzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCtaU9DcBoU8dYkDpmxW7U8MHjHd6CwLHOqTl2Mm0yex7Sp7FtcGdEgF4BGdy+u
V90ftUzXTs0vCYgSKhgPeKQMzSw50TfavJy71oDlONIUa5CwPxDdMSt9j31zPLdW
cOQbO9DTfJddLjw21jBPaKv36FEbKsIvlgI410+hgctOMvbdqsoqvbvK0FsHIyOe
2AlTbfaXOumNxaBHYpHIv3W97ig0ggNdbAeHawiW/HpmSKHjYk/kjU3f/lPz5oXY
iDQAGQDuhctQKy0bJ1pLv6B8Kg4A3/XUExIcz/a8mDj61BsAbC/Ict7bGHZ9X6Hq
t+fsu8wF1CmxVVuCKpVBpcoRAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAAAqcczh
ePS5fqkvaNtMs+t4Wx50zhPD0tKaDUX+BmokQamTNVgDzi3AiBJHRABeZ3VzfiCX
A+yt8IuJIMWH2Kpy09t7o+JHf2fAe4vBUkFdQggftI+IMRSz/UArr7jzVG6ZKUPv
zetJ/OioVQFhjJmaB+O0TNk20jMG9sMgMotZeMnkbIMOmEnNUVykKcU3Pd/ngg5X
tXGidkeOWlBXSTdOjjeORTnm9jc2dk5PWeksy7fMJQ97VjUc6i8DwTq2ikf7Yfjq
GYg+ORdcxD/Zz0jOTSa0gWZCXs8uWHokkKD8AClRismgDklEEX45Qa7UMcX5AKzq
8e32wP4WTyoMY4NLBkFRSNGwDpNXAGQRqPtgu+jq3U2qTFom31HLhkqVQ59bpVql
DVGDi7UIX6pAJh2WacHC8TV1UwZYSDJa6Zscfaspq3yVgahvijq+eCWJ6xkUkh21
VdaBZucrLUmFothPmn6ccTnYwN2yOaCAgbS0yecFD0kHXky00exyI89fGtA8MvWg
NMPMfhW/MLgDjp9qE1tCYyOb8pkk9LUZ+1K97IsR2uXjR1luevnLfVU/KNJNSp1F
0lHEXUQoXtaEmU1axmi+cpngkGi8qaZVUTfH8C1Y37nTs4yVACIdvz0Anbng2Rkt
tiJLPZsObrY2eLCp+kdxCl7jfso0192Umz+N
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE8TCCAtkCFCXLxVaU5FoXud9rZ2XzLJEjSYWFMA0GCSqGSIb3DQEBCwUAMDUx
HDAaBgNVBAMME0FzdGVyaXNrIFByaXZhdGUgQ0ExFTATBgNVBAoMDDE5Mi4xNjgu
MS4zMDAeFw0yMTEwMjkxNTMyMTVaFw0yMjEwMjkxNTMyMTVaMDUxHDAaBgNVBAMM
E0FzdGVyaXNrIFByaXZhdGUgQ0ExFTATBgNVBAoMDDE5Mi4xNjguMS4zMDCCAiIw
DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANaMY0AM0svtHpG3EBI0pn5a+Hs5
ATfb26UwTxuEsf+Z27HAl8apjz/uMfRLEQcJiqDHUgR1NBFWUeUcJQfghR34Ap76
pyjup7qe32M05hAWjKtTITxZZNg2EquaUq0k+i9uOqG5KFMw9Z5ZVBwl6XrAwlFk
4nVTOtu56I57mak6s40Nx/E0L8zLd3VKDbQMdAQXRYykzkH/L9z83ujmr3pg5n81
d+QFwBVdWruo5FG2pMmwEjCAA5ASAUjTIvPw1Ty0Gnpz3asaSS/+AJ1IcKrbLhyN
svcfOTvGRv5DE+peJdnuYXzEAfXbekLKGJUiDsiylZbm+22xkjXMPLVxrgvjSvjy
5cHGDvbLQBKoVqgky6yoURKWIV5FVjJSXiIzInzT3rE1LZaZNOh5sW+XjZEf0U2V
mTmZwyB9+jzFUa2p14onktIQGOP1xt0ORTJ+taWLMD4kBjgYeEyA0ntpxezVaHwU
h7O5sNSKggTgKbGzEepV3gTFieykhDO3U2d0VXfXpjzUvjddMOivEnFla4PQBYC9
MryHmCKesvLZS3CZtRitdzdX2Ufg0tZiMNbAk09KpR0Ow98yfEakfAFijA2N1Y/v
OJok4zRqhkt+fXYHZe1616a/Q+WnuJAO31TtnDV/g1IQBlKfcuDvLrpNgYwHfemj
LqoZlF4FXQ6uQFgVAgMBAAEwDQYJKoZIhvcNAQELBQADggIBANP6nGVI59YdL7Xg
vIYEW7OCTxV7pDbZk6Ocq0xFlgg2O356BMtPm/7OUVBZyYKJKvpKT4IS0uM0zKJz
/rjjFEWFWEfxWFGG3iwX7wLEsDIZyKava/nSiiCB6UDIDJNWLinTWzVuP2Ui9DjS
D1ntXzt2k8Qf0uOBGuTs2VtL040EvXKUVZ2wHZfp/5mMO0DZr6HYFajMF30LFYVe
H9nsg8s9fzIl1ABu09+/W3Y0qiErwGjRJcgDS2L/+34EppQPgRRz/JItWECurgD5
qVuzYBfLc0SDipDo3EVDnnKyRAa3yVKU1I/o9bz76T8DpakVSdF8GwoCJGHvE/OO
YONt3EtTmALGSSeHT3o8xhK5nqX9mawhaXKbAASJ82q7r0zXMHq14zD+fULaq8pf
olEVj91DaZM+p011PDxOYjIfc0+1ifDOxs777ovQOuTmWjwoK3EN9q/xWSzlC37O
TCKysNxegmOkuaA+UimTWtKLc3ouL0CUjdQiGKjPtP0/EHdhMBGKtRFCpbUockoI
+w4bn4PD3GFkec8/3pyYQ5G4DRYmeRdVlQC1d73z7ZNxYw+drGf/W/zoPFZ+Y7y7
m3GupSfCcgX8/eMD2n/0uDoyairYe7RLE1v//1oQMIEcFTVNytIBOeXTjBoQMe2U
2GQpXqU3q/WranmL1rUcl2DREZMd
-----END CERTIFICATE-----

and this is the log when i start asterisk:
https://docs.google.com/document/d/1FFA3wFg7GqRPyi8toazUAinvSik8fQPL5IL1lOwJO7c/edit?usp=sharing

Sorry for my english and thanks for reading !

gatomalandr0 · October 29, 2021, 4:28pm

More info:
The root certificate that asterisk generate on the tutorial ( ca.crt ) i installed on the computer that is trying to connect to asterisk and still get this erros.

david551 · October 29, 2021, 5:41pm

Have you installed it in Asterisk?

gatomalandr0 · October 29, 2021, 6:06pm

No, i didnt installed the certificate on asterisk machine, i installed on the client.
But i think the problem is the browsers that doesnt accept this type of certificate.

david551 · October 29, 2021, 6:51pm

I’m referring to the CA certificate. openssl appears to be failing because you haven’t provided it with that.

gatomalandr0 · October 29, 2021, 7:04pm

provided what? i just used the script from asterisk.

david551 · October 29, 2021, 7:14pm

Please provide your pjsip.conf settings for the SSL certificate and key files and say what is in each named file.

If not using chan_pjsip, note that chan_sip is deprecated, but provide the same information from sip.conf.

gatomalandr0 · October 29, 2021, 10:02pm

its a certificate error. I tried to use the same certificate with golang https and didnt work.

system · November 28, 2021, 10:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.