Errors with tls

Had tls with Flowroute working some monhts ago. Upgraded to 16.27 /. Now getting
[Sep 14 06:51:02] WARNING[14144]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151573> len: 0 peer: 34.226.36.35:5061 [Sep 14 06:51:02] WARNING[14144]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151573> len: 0 peer: 34.226.36.32:5061
[Sep 14 06:51:02] WARNING[14144]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151573> len: 0 peer: 34.226.36.34:5061 [Sep 14 06:51:02] WARNING[14144]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151573> len: 0 peer: 34.226.36.33:5061
[Sep 14 06:51:02] WARNING[14144]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151573> len: 0 peer: 34.210.91.112:5061 [Sep 14 06:51:03] WARNING[14144]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151573> len: 0 peer: 34.210.91.114:5061
Any input on these errors?

changed pjsip.conf. now getting

[Sep 14 12:06:34] WARNING[15214]: pjproject: <?>:                  SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151573> <SSL routines-ssl3_read_bytes-sslv3 alert certificate expired>

Is this a server error?

Seeing SSL errors in general is more or less normal.

However, “certificate expired” would seem to indicate a problem about which you can (and should) do something - is the certificate PJSIP is using expired?

I believe the error is referring to the certificate on the server. I’m using LetsEncrypt and it works fine with another provider. This trunk is only used for outbound.

We don’t know which direction the calls are going, so we don’t know whether the server is Asterisk or something else.

The trunk is only used for outbound. I have a capture that shows the complete DIAL command and then the error.

-- Called PJSIP/12345678*12172245293@flowroute
[Sep 14 12:06:34] WARNING[15214]: pjproject: <?>:                  SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151573> <SSL routines-ssl3_read_bytes-sslv3 alert certificate expired> len: 0 peer: 34.226.36.34:5061

See post above

The certificate for the endpoint is for sa-east-sp.sip.flowroute.com, and valid from 12 Aug 2022 to 10 Nov 2022. It is signed by Lets Encrypt (R3), which is valid from 04 Sep 2020 to 15 Sep 2025.

So, if your clock is correct and you are not using an ancient version of Lets Encrypt’s signing certificate, it should produce an expired error.

The certificate chain is:

-----BEGIN CERTIFICATE-----
MIIFPTCCBCWgAwIBAgISA4JIOpm+gUSlqkaQFWwzwrC/MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA4MTIyMjUwMDFaFw0yMjExMTAyMjUwMDBaMCcxJTAjBgNVBAMT
HHNhLWVhc3Qtc3Auc2lwLmZsb3dyb3V0ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDNXV4VzUYJyje9qUyTsRLPdvrLrIv+0DPCQxYfvpXN5trm
WDLzpre2OC/XqYrHUDO96vTfuBA63wVXIUTMTmJrdWhaYGxtdJCtqOu/cDgx8gh0
k5rOj6RZuBd6dgcXmsC722+ZhuqmNi8ZBjeGkeiIwOyKgHWZRO2TQxWuKpKXEMQo
WGc7/UGWet6p2Bc33zpqeaddUXTJy3QOA1wj1o43UCIxrZ0vSy8KEOldrjPorSsY
FzvTCWI8GYsN6xHllEOYp53TCHpK+Kp6CiVXhT5xvANEVKLjVryNZCrl97NhhEcC
ssezNEAiYSISrxXIcFTCds3j6H190tk/OkPOhm4NAgMBAAGjggJWMIICUjAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFD1JvMRdXru28H+MOSllS25pZZo0MB8GA1UdIwQY
MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF
BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v
cjMuaS5sZW5jci5vcmcvMCcGA1UdEQQgMB6CHHNhLWVhc3Qtc3Auc2lwLmZsb3dy
b3V0ZS5jb20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAm
BggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEE
AdZ5AgQCBIH0BIHxAO8AdQApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3H
hAAAAYKUdvwNAAAEAwBGMEQCICUT5O883qCRsMI//6nOlJoMrCu1R95Vcvwplxe2
fzK2AiBBOolhWx5pdimpJtgHARHrMH5reFyp9L6S2Bi4/q6FjwB2AN+lXqtogk8f
bK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgpR2/fkAAAQDAEcwRQIgDJZ+b1aY
BiIo0xVXOpHLeLdqU0OYzP/42yDJEeZLp/cCIQC1EDr6e5l+vt9p8drnnf/fcOHO
Q3fJ7Jm3eBdHnfhXozANBgkqhkiG9w0BAQsFAAOCAQEAoBs7m3TGcvNhyLxpx5U/
3s8Dr3lURsHHlOXDZaATs6bWEXV/cOGLJY4r2Oa2dOWkPAahEW978iH1KgIXV+im
CaQXEJA6Goqn8L7WuNoMh0V/BzgCwDzCPz9ayK+xi1TSruvh+tTNeusC9OlPWyqi
Wq76ub2DFsMvARiX/5sH1sDLiRmr0BXHWg1BaGHZeffyczPxuCTvSiy1T1rMf6Wh
Vz0bFm3K7VD2gAlpEiTdy7nEt8E12uTZyNYr9Y+CnlX/qJfjl0EQU6VWG+RpJhmB
jR/SW1IOn4QXoAog8Juxy629Pi9gLxTcm0Z0bopuJjgSegv/n2C9U0ZygYOl/u/X
Dg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

You should be able to use OpenSSL tools to interpret these, although I actually used Firefox, with a security check overridden.

Actually there is another certificate in the chain, for Internet Security Research Group, CN = ISRG Root X1, and it might be that you have an expired certificate for them. However, that seems unlikely, as it runs from 04 Jun 2015 to 04 Jun 2035

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:82:48:3a:99:be:81:44:a5:aa:46:90:15:6c:33:c2:b0:bf
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Aug 12 22:50:01 2022 GMT
            Not After : Nov 10 22:50:00 2022 GMT
        Subject: CN = sa-east-sp.sip.flowroute.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:cd:5d:5e:15:cd:46:09:ca:37:bd:a9:4c:93:b1:
                    12:cf:76:fa:cb:ac:8b:fe:d0:33:c2:43:16:1f:be:
                    95:cd:e6:da:e6:58:32:f3:a6:b7:b6:38:2f:d7:a9:
                    8a:c7:50:33:bd:ea:f4:df:b8:10:3a:df:05:57:21:
                    44:cc:4e:62:6b:75:68:5a:60:6c:6d:74:90:ad:a8:
                    eb:bf:70:38:31:f2:08:74:93:9a:ce:8f:a4:59:b8:
                    17:7a:76:07:17:9a:c0:bb:db:6f:99:86:ea:a6:36:
                    2f:19:06:37:86:91:e8:88:c0:ec:8a:80:75:99:44:
                    ed:93:43:15:ae:2a:92:97:10:c4:28:58:67:3b:fd:
                    41:96:7a:de:a9:d8:17:37:df:3a:6a:79:a7:5d:51:
                    74:c9:cb:74:0e:03:5c:23:d6:8e:37:50:22:31:ad:
                    9d:2f:4b:2f:0a:10:e9:5d:ae:33:e8:ad:2b:18:17:
                    3b:d3:09:62:3c:19:8b:0d:eb:11:e5:94:43:98:a7:
                    9d:d3:08:7a:4a:f8:aa:7a:0a:25:57:85:3e:71:bc:
                    03:44:54:a2:e3:56:bc:8d:64:2a:e5:f7:b3:61:84:
                    47:02:b2:c7:b3:34:40:22:61:22:12:af:15:c8:70:
                    54:c2:76:cd:e3:e8:7d:7d:d2:d9:3f:3a:43:ce:86:
                    6e:0d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                3D:49:BC:C4:5D:5E:BB:B6:F0:7F:8C:39:29:65:4B:6E:69:65:9A:34
            X509v3 Authority Key Identifier: 
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name: 
                DNS:sa-east-sp.sip.flowroute.com
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
                                BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
                    Timestamp : Aug 12 23:50:01.997 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:25:13:E4:EF:3C:DE:A0:91:B0:C2:3F:FF:
                                A9:CE:94:9A:0C:AC:2B:B5:47:DE:55:72:FC:29:97:17:
                                B6:7F:32:B6:02:20:41:3A:89:61:5B:1E:69:76:29:A9:
                                26:D8:07:01:11:EB:30:7E:6B:78:5C:A9:F4:BE:92:D8:
                                18:B8:FE:AE:85:8F
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:
                                EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
                    Timestamp : Aug 12 23:50:02.489 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:0C:96:7E:6F:56:98:06:22:28:D3:15:57:
                                3A:91:CB:78:B7:6A:53:43:98:CC:FF:F8:DB:20:C9:11:
                                E6:4B:A7:F7:02:21:00:B5:10:3A:FA:7B:99:7E:BE:DF:
                                69:F1:DA:E7:9D:FF:DF:70:E1:CE:43:77:C9:EC:99:B7:
                                78:17:47:9D:F8:57:A3
    Signature Algorithm: sha256WithRSAEncryption
         a0:1b:3b:9b:74:c6:72:f3:61:c8:bc:69:c7:95:3f:de:cf:03:
         af:79:54:46:c1:c7:94:e5:c3:65:a0:13:b3:a6:d6:11:75:7f:
         70:e1:8b:25:8e:2b:d8:e6:b6:74:e5:a4:3c:06:a1:11:6f:7b:
         f2:21:f5:2a:02:17:57:e8:a6:09:a4:17:10:90:3a:1a:8a:a7:
         f0:be:d6:b8:da:0c:87:45:7f:07:38:02:c0:3c:c2:3f:3f:5a:
         c8:af:b1:8b:54:d2:ae:eb:e1:fa:d4:cd:7a:eb:02:f4:e9:4f:
         5b:2a:a2:5a:ae:fa:b9:bd:83:16:c3:2f:01:18:97:ff:9b:07:
         d6:c0:cb:89:19:ab:d0:15:c7:5a:0d:41:68:61:d9:79:f7:f2:
         73:33:f1:b8:24:ef:4a:2c:b5:4f:5a:cc:7f:a5:a1:57:3d:1b:
         16:6d:ca:ed:50:f6:80:09:69:12:24:dd:cb:b9:c4:b7:c1:35:
         da:e4:d9:c8:d6:2b:f5:8f:82:9e:55:ff:a8:97:e3:97:41:10:
         53:a5:56:1b:e4:69:26:19:81:8d:1f:d2:5b:52:0e:9f:84:17:
         a0:0a:20:f0:9b:b1:cb:ad:bd:3e:2f:60:2f:14:dc:9b:46:74:
         6e:8a:6e:26:38:12:7a:0b:ff:9f:60:bd:53:46:72:81:83:a5:
         fe:ef:d7:0e
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Validity
            Not Before: Sep  4 00:00:00 2020 GMT
            Not After : Sep 15 16:00:00 2025 GMT
        Subject: C = US, O = Let's Encrypt, CN = R3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bb:02:15:28:cc:f6:a0:94:d3:0f:12:ec:8d:55:
                    92:c3:f8:82:f1:99:a6:7a:42:88:a7:5d:26:aa:b5:
                    2b:b9:c5:4c:b1:af:8e:6b:f9:75:c8:a3:d7:0f:47:
                    94:14:55:35:57:8c:9e:a8:a2:39:19:f5:82:3c:42:
                    a9:4e:6e:f5:3b:c3:2e:db:8d:c0:b0:5c:f3:59:38:
                    e7:ed:cf:69:f0:5a:0b:1b:be:c0:94:24:25:87:fa:
                    37:71:b3:13:e7:1c:ac:e1:9b:ef:db:e4:3b:45:52:
                    45:96:a9:c1:53:ce:34:c8:52:ee:b5:ae:ed:8f:de:
                    60:70:e2:a5:54:ab:b6:6d:0e:97:a5:40:34:6b:2b:
                    d3:bc:66:eb:66:34:7c:fa:6b:8b:8f:57:29:99:f8:
                    30:17:5d:ba:72:6f:fb:81:c5:ad:d2:86:58:3d:17:
                    c7:e7:09:bb:f1:2b:f7:86:dc:c1:da:71:5d:d4:46:
                    e3:cc:ad:25:c1:88:bc:60:67:75:66:b3:f1:18:f7:
                    a2:5c:e6:53:ff:3a:88:b6:47:a5:ff:13:18:ea:98:
                    09:77:3f:9d:53:f9:cf:01:e5:f5:a6:70:17:14:af:
                    63:a4:ff:99:b3:93:9d:dc:53:a7:06:fe:48:85:1d:
                    a1:69:ae:25:75:bb:13:cc:52:03:f5:ed:51:a1:8b:
                    db:15
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier: 
                14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
            X509v3 Authority Key Identifier: 
                keyid:79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E

            Authority Information Access: 
                CA Issuers - URI:http://x1.i.lencr.org/

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://x1.c.lencr.org/

            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1

    Signature Algorithm: sha256WithRSAEncryption
         85:ca:4e:47:3e:a3:f7:85:44:85:bc:d5:67:78:b2:98:63:ad:
         75:4d:1e:96:3d:33:65:72:54:2d:81:a0:ea:c3:ed:f8:20:bf:
         5f:cc:b7:70:00:b7:6e:3b:f6:5e:94:de:e4:20:9f:a6:ef:8b:
         b2:03:e7:a2:b5:16:3c:91:ce:b4:ed:39:02:e7:7c:25:8a:47:
         e6:65:6e:3f:46:f4:d9:f0:ce:94:2b:ee:54:ce:12:bc:8c:27:
         4b:b8:c1:98:2f:a2:af:cd:71:91:4a:08:b7:c8:b8:23:7b:04:
         2d:08:f9:08:57:3e:83:d9:04:33:0a:47:21:78:09:82:27:c3:
         2a:c8:9b:b9:ce:5c:f2:64:c8:c0:be:79:c0:4f:8e:6d:44:0c:
         5e:92:bb:2e:f7:8b:10:e1:e8:1d:44:29:db:59:20:ed:63:b9:
         21:f8:12:26:94:93:57:a0:1d:65:04:c1:0a:22:ae:10:0d:43:
         97:a1:18:1f:7e:e0:e0:86:37:b5:5a:b1:bd:30:bf:87:6e:2b:
         2a:ff:21:4e:1b:05:c3:f5:18:97:f0:5e:ac:c3:a5:b8:6a:f0:
         2e:bc:3b:33:b9:ee:4b:de:cc:fc:e4:af:84:0b:86:3f:c0:55:
         43:36:f6:68:e1:36:17:6a:8e:99:d1:ff:a5:40:a7:34:b7:c0:
         d0:63:39:35:39:75:6e:f2:ba:76:c8:93:02:e9:a9:4b:6c:17:
         ce:0c:02:d9:bd:81:fb:9f:b7:68:d4:06:65:b3:82:3d:77:53:
         f8:8e:79:03:ad:0a:31:07:75:2a:43:d8:55:97:72:c4:29:0e:
         f7:c4:5d:4e:c8:ae:46:84:30:d7:f2:85:5f:18:a1:79:bb:e7:
         5e:70:8b:07:e1:86:93:c3:b9:8f:dc:61:71:25:2a:af:df:ed:
         25:50:52:68:8b:92:dc:e5:d6:b5:e3:da:7d:d0:87:6c:84:21:
         31:ae:82:f5:fb:b9:ab:c8:89:17:3d:e1:4c:e5:38:0e:f6:bd:
         2b:bd:96:81:14:eb:d5:db:3d:20:a7:7e:59:d3:e2:f8:58:f9:
         5b:b8:48:cd:fe:5c:4f:16:29:fe:1e:55:23:af:c8:11:b0:8d:
         ea:7c:93:90:17:2f:fd:ac:a2:09:47:46:3f:f0:e9:b0:b7:ff:
         28:4d:68:32:d6:67:5e:1e:69:a3:93:b8:f5:9d:8b:2f:0b:d2:
         52:43:a6:6f:32:57:65:4d:32:81:df:38:53:85:5d:7e:5d:66:
         29:ea:b8:dd:e4:95:b5:cd:b5:56:12:42:cd:c4:4e:c6:25:38:
         44:50:6d:ec:ce:00:55:18:fe:e9:49:64:d4:4e:ca:97:9c:b4:
         5b:c0:73:a8:ab:b8:47:c2

This is the ISRG one as used by Firefox:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Validity
            Not Before: Jun  4 11:04:38 2015 GMT
            Not After : Jun  4 11:04:38 2035 GMT
        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:
                    87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:
                    75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:
                    6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:
                    9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff:
                    12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f:
                    7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2:
                    4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23:
                    53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74:
                    b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c:
                    fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e:
                    cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25:
                    0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf:
                    10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4:
                    63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c:
                    76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10:
                    e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:
                    07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:
                    0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:
                    2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:
                    1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47:
                    37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41:
                    29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40:
                    1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7:
                    12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f:
                    05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50:
                    13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30:
                    d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b:
                    98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b:
                    a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86:
                    3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d:
                    19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db:
                    e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:
                    ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:
                    33:43:4f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
    Signature Algorithm: sha256WithRSAEncryption
         55:1f:58:a9:bc:b2:a8:50:d0:0c:b1:d8:1a:69:20:27:29:08:
         ac:61:75:5c:8a:6e:f8:82:e5:69:2f:d5:f6:56:4b:b9:b8:73:
         10:59:d3:21:97:7e:e7:4c:71:fb:b2:d2:60:ad:39:a8:0b:ea:
         17:21:56:85:f1:50:0e:59:eb:ce:e0:59:e9:ba:c9:15:ef:86:
         9d:8f:84:80:f6:e4:e9:91:90:dc:17:9b:62:1b:45:f0:66:95:
         d2:7c:6f:c2:ea:3b:ef:1f:cf:cb:d6:ae:27:f1:a9:b0:c8:ae:
         fd:7d:7e:9a:fa:22:04:eb:ff:d9:7f:ea:91:2b:22:b1:17:0e:
         8f:f2:8a:34:5b:58:d8:fc:01:c9:54:b9:b8:26:cc:8a:88:33:
         89:4c:2d:84:3c:82:df:ee:96:57:05:ba:2c:bb:f7:c4:b7:c7:
         4e:3b:82:be:31:c8:22:73:73:92:d1:c2:80:a4:39:39:10:33:
         23:82:4c:3c:9f:86:b2:55:98:1d:be:29:86:8c:22:9b:9e:e2:
         6b:3b:57:3a:82:70:4d:dc:09:c7:89:cb:0a:07:4d:6c:e8:5d:
         8e:c9:ef:ce:ab:c7:bb:b5:2b:4e:45:d6:4a:d0:26:cc:e5:72:
         ca:08:6a:a5:95:e3:15:a1:f7:a4:ed:c9:2c:5f:a5:fb:ff:ac:
         28:02:2e:be:d7:7b:bb:e3:71:7b:90:16:d3:07:5e:46:53:7c:
         37:07:42:8c:d3:c4:96:9c:d5:99:b5:2a:e0:95:1a:80:48:ae:
         4c:39:07:ce:cc:47:a4:52:95:2b:ba:b8:fb:ad:d2:33:53:7d:
         e5:1d:4d:6d:d5:a1:b1:c7:42:6f:e6:40:27:35:5c:a3:28:b7:
         07:8d:e7:8d:33:90:e7:23:9f:fb:50:9c:79:6c:46:d5:b4:15:
         b3:96:6e:7e:9b:0c:96:3a:b8:52:2d:3f:d6:5b:e1:fb:08:c2:
         84:fe:24:a8:a3:89:da:ac:6a:e1:18:2a:b1:a8:43:61:5b:d3:
         1f:dc:3b:8d:76:f2:2d:e8:8d:75:df:17:33:6c:3d:53:fb:7b:
         cb:41:5f:ff:dc:a2:d0:61:38:e1:96:b8:ac:5d:8b:37:d7:75:
         d5:33:c0:99:11:ae:9d:41:c1:72:75:84:be:02:41:42:5f:67:
         24:48:94:d1:9b:27:be:07:3f:b9:b8:4f:81:74:51:e1:7a:b7:
         ed:9d:23:e2:be:e0:d5:28:04:13:3c:31:03:9e:dd:7a:6c:8f:
         c6:07:18:c6:7f:de:47:8e:3f:28:9e:04:06:cf:a5:54:34:77:
         bd:ec:89:9b:e9:17:43:df:5b:db:5f:fe:8e:1e:57:a2:cd:40:
         9d:7e:62:22:da:de:18:27

tried both
contact = sip:us-east-va.sip.flowroute.com;transport=tls
contact = sip:sa-east-sp.sip.flowroute.com:5061;transport=tls

correct server name is supposed to be “us-east-va.sip.flowroute.com” according to their web pages.

The certificate is for “sa-east-sp.sip.flowroute.com”? No wonder why tls is failing. Thanks

I believe the Asterisk default is to accept man in the middle attacks, as long as the certificate is signed by someone trusted, however the documentation is confusing, for chan_pjsip, as it says that the default is an empty string, and the field has a custom value, but I can find no indication of the possible values, and the likely PJSIP API uses a boolean.

As such, and because the message is complaining about expiry, I don’t think the name mismatch is significant (I assume Flowroute wouldn’t do a MiTM attack on themselves!)

There was a big change in the way that Lets Encrypt certificates were signed, earlier in the year. I have a feeling there were two certification paths. I’m wondering if you only have the root certificates for the expired certification path, although I was never completely clear about what was happening.

I think you hit it. I spoke with someone at Flowroute and she was quizzing me asking which certificate I have. The I guess you’re saying “old?” certificate or the “CA” certificate. Either way, she requested a pcap which I sent.

I installed Wireshark & tcpdump. According to that my server is correctly sending to port 5061 but the server never responds to my user agent port. Don’t know why yet. It looks like openSSL just logs it as “certificate expired”. So this is looking more like a server issue.

Your firewall has to be badly configured to break a TCP set up. The TLS server at that address does respond, as that’s how I captured their certificate. Whilst I find OpenSSL errors unhelpful, and poorly documented, I don’t think you would get certificate expired for a reason other than certificate expired.

The reply should go to the port from which the TCP SYN was sent, which might not be the port configured for inbound use.

hmmm… Maybe their just not getting past the initial handshake. The same tls setup works fine with another ITSP. I’ll have to wait for a response from Flowroute.