Hi,
I have a direct link between two Asterisk-servers. This allows me to place direct and encrypted calls. I created my own certificates for this purpose and it works great! This is what the configuration looks like:
[general]
tlsenable=yes
tlsbindaddr=::
tlscertfile=/etc/asterisk/keys/asterisk.mycert.pem
tlscafile=/etc/asterisk/keys/mycacert.pem
tlscapath=/etc/asterisk/keys
tlscipher=TLSv1
tlsclientmethod=tlsv1
[otherside]
type=peer
host=asterisk.otherside.com
defaultuser=auser
secret=SuperSecret
context=incoming
transport=tls
As I said, this works perfect. No errors what-so-ever. Now I want to add another Asterisk-server. But that server uses a certificate that was not signed by my own CA-certificate. And it is also a certificate that those guys created with their own CA-file. It was not handed out by an official CA-authority. Just like my own. And as soon as I add their server, I get this error:
tcptls.c:621 handle_tcptls_connection: Certificate did not verify: self signed certificate in certificate chain
I tried importing their CA-certificate in /usr/local/share/ca-certifiactes/ and run update-ca-certificates. And sure enough, 1 new certificate was added. But I still get that error in Asterisk. Even after restarting Asterisk entirely.
I tried to comment tlscafile=/etc/asterisk/keys/mycacert.pem, while leaving tlscapath=/etc/asterisk/keys active, (hopefully) forcing Asterisk to use all keys in /etc/asterisk/keys/. That seemed to work, because my own certificate didn’t give any errors. But I still get errors on the other certificate.
How can I tell Asterisk it can trust that certificate?