Cert loaing issue - ERROR[1539] tcptls.c: TLS/SSL error loading cert file

I am running Asetrisk 13.10.0 and get a calist and cert errors.

[Apr 21 13:54:41] ERROR[1539] tcptls.c: TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem>
[Apr 21 13:54:42] ERROR[1833] tcptls.c: TLS/SSL CA file(/etc/asterisk/keys/calist.pem)/path() error

I found another old thread where it was suggested to check teh permissions for the cert files for the asterisk/admin users.
I did this and it does appear to be that neither admin/asterisk can access the files.

I tried doing chmod a+rw /etc/asterisk/keys/asterisk.pem
but i still get the same error and the same permission denied.
How do I correct the permissions on these cert file so admin/asterisk users can access ?

sudo -u asterisk cat /etc/asterisk/keys/asterisk.pem

cat: /etc/asterisk/keys/asterisk.pem: Permission denied

(pbx-in-pbx1.pscs.pmirror.esnmirror.pri):(root) 14:07:04 BST Asterisk 13.10.0

sudo -u admin cat /etc/asterisk/keys/asterisk.pem

cat: /etc/asterisk/keys/asterisk.pem: Permission denied

(pbx-in-pbx1.pscs.pmirror.esnmirror.pri):(root) 14:07:13 BST Asterisk 13.10.0

sudo -u admin cat /etc/asterisk/keys/calist.pem

cat: /etc/asterisk/keys/calist.pem: Permission denied

(pbx-in-pbx1.pscs.pmirror.esnmirror.pri):(root) 14:07:23 BST Asterisk 13.10.0

sudo -u asterisk cat /etc/asterisk/keys/calist.pem

cat: /etc/asterisk/keys/calist.pem: Permission denied

If OpenSSL is sensible, setting world write permission on those files will cause it to treat them as potentially compromised and reject them. However, that doesn’t explain the cat failures, which could either be lack of execute permission on a directory, or an SELinux violation.

Note the error you are seeing will be reporting something from OpenSSL, so you should really treat this as an OpenSSL configuration issue, not an Asterisk one. Specifically for the second one, it means that OpenSSL returned an error when invoked via SSL_CTX_load_verify_locations(), with a file name and no path name. /docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html

Also note that Asterisk 13 is no longer supported for normal bugs and has only six months left for security vulnerabilities. This applies to 13.38.2. Asterisk 13.10.0 is almost five years old and will have known security vulnerabilities.

Finally fixed this. Problem was with the permissions.
This came from a colleague so don’t ask me to explain any further than the problem was Asterisk couldn’t access the certs in the directory.

This is what they should be:

ls -lZd /etc/asterisk/keys/

drwxr-x—. asterisk asterisk system_u:object_r:asterisk_etc_t:s0 /etc/asterisk/keys/

And these are the commands to set them to the above:

chown -R asterisk.asterisk /etc/asterisk/keys/

chmod 750 /etc/asterisk/keys/

chcon -R -v -u system_u -r object_r -t asterisk_etc_t /etc/asterisk/keys/

Solved my problem

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.