I have a direct link between two Asterisk-servers. This allows me to place direct and encrypted calls. I created my own certificates for this purpose and it works great! This is what the configuration looks like:
[general] tlsenable=yes tlsbindaddr=:: tlscertfile=/etc/asterisk/keys/asterisk.mycert.pem tlscafile=/etc/asterisk/keys/mycacert.pem tlscapath=/etc/asterisk/keys tlscipher=TLSv1 tlsclientmethod=tlsv1 [otherside] type=peer host=asterisk.otherside.com defaultuser=auser secret=SuperSecret context=incoming transport=tls
As I said, this works perfect. No errors what-so-ever. Now I want to add another Asterisk-server. But that server uses a certificate that was not signed by my own CA-certificate. And it is also a certificate that those guys created with their own CA-file. It was not handed out by an official CA-authority. Just like my own. And as soon as I add their server, I get this error:
tcptls.c:621 handle_tcptls_connection: Certificate did not verify: self signed certificate in certificate chain
I tried importing their CA-certificate in /usr/local/share/ca-certifiactes/ and run update-ca-certificates. And sure enough, 1 new certificate was added. But I still get that error in Asterisk. Even after restarting Asterisk entirely.
I tried to comment tlscafile=/etc/asterisk/keys/mycacert.pem, while leaving tlscapath=/etc/asterisk/keys active, (hopefully) forcing Asterisk to use all keys in /etc/asterisk/keys/. That seemed to work, because my own certificate didn’t give any errors. But I still get errors on the other certificate.
How can I tell Asterisk it can trust that certificate?