I have configured my asterisk to connect to a sip tls provider. It’s working fine (tls & srtp). I am trying to connect to a second provider without success. I can configure asterisk to connect to the second one only and again it is working fine. The case is that I need both trunks working simultaneously. So if I set certs in sip.conf in peer configuration asterisk doesn’t start port 5061 at all.
If I add a certificate in sip.conf [general] and in peers too it tries to authenticate to sip provider with the cert added in [general]…
So it looks like asterisk reads only certs added in [general] section and can authenticate to only one sip provider. Is there any way to make it work with several certificates to several providers?
I am using latest Ubuntu 16.04 LTS with Asterisk-13.1.0~dfsg-1.1ubuntu4.1 and chan_sip
The case is like this… I have two asterisk servers doing… lots of things somewhere on the net. At the same time I have two clients (asterisks) somewhere else on the net. These four boxes must be cross connected for failover in both directions.
According to the documentation you create server and customer certificate this way: #server
./ast_tls_cert -C 7.7.7.7 -O “server1” -d /etc/asterisk/keys
This commad generates all server certificates, keys, etc. Then using them you can create customer certificates:
./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 1.2.3.4 -O “server1” -d /etc/asterisk/keys -o peer1
./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 1.2.3.5 -O “server1” -d /etc/asterisk/keys -o peer2
So this procedure is done twice for both servers using their ip addresses (and respectively clients).
So what I have to do to make client cert (and ca) work auth at both servers?
Running two instances at one server is not a good idea because I will need these for failover.
In that case you would have a single certificate authority and multiple client certificates all from it. Then each server would be able to verify that the client certificate was issued from the same certificate authority.
Ok, thanks! Everything is up and working now… here is what I did:
I saw in ast_tls_cert that if ca.crt exists it didn’t overwrite it. So first I created first server cert:
./ast_tls_cert -C 7.7.7.7 -O “server1” -d /etc/asterisk/temp_keys
Copied combined key and certificate to a new name:
cp asterisk.pem server1.pem
Create certificate for the second server:
./ast_tls_cert -C 9.9.9.9 -O “server2” -d /etc/asterisk/temp_keys
It overwrites asterisk.pem (and the other asterisk.* files). Copied file to
cp asterisk.pem server2.pem
Then I created certificates for the clients:
./ast_tls_cert -m client -c /etc/asterisk/temp_keys/ca.crt -k /etc/asterisk/temp_keys/ca.key -C 1.2.3.4 -O “server1” -d /etc/asterisk/temp_keys -o peer1
./ast_tls_cert -m client -c /etc/asterisk/temp_keys/ca.crt -k /etc/asterisk/temp_keys/ca.key -C 1.2.3.5 -O “server1” -d /etc/asterisk/temp_keys -o peer2
At the end I had the same ca.crt for servers and clients and pem (certificate and key combined) for everyone:
server1.pem, server2.pem, peer1.pem, peer2.pem