Problem setting up ssl connection:

Asterisk Asterisk Support
1

Hi Guys,

I have a problem that has kept me busy for a week now.
I’m trying to create an SSL connection for Asterisk.

I have created the SSL certificate through

sudo contrib/scripts/ast_tls_cert -C hostname -O "My Organization" -b 2048 -d /etc/asterisk/keys

Have set the http.conf

[general]
servername=Asterisk
enabled=yes
bindaddr=0.0.0.0
bindport=8088
prefix=asterisk
tlsenable=yes
tlsbindaddr=0.0.0.0:8089
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlsprivatekey=/etc/asterisk/keys/asterisk.pem

And checked it through the “HTTP show status” command.

HTTP Server Status:
Prefix: /asterisk
Server: Asterisk
Server Enabled and Bound to 0.0.0.0:8088

HTTPS Server Enabled and Bound to 0.0.0.0:8089

Enabled URI's:
/asterisk/httpstatus => Asterisk HTTP General Status
/asterisk/phoneprov/... => Asterisk HTTP Phone Provisioning Tool
/asterisk/ari/... => Asterisk RESTful API
/asterisk/ws => Asterisk HTTP WebSocket

It seems to work as I see the message https server enabled
but I keep getting the following error message when I try to connect to the was through

wss://[myip]:8089/asterisk/ws

[Aug 28 15:09:16] ERROR[8086]: iostream.c:647 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Aug 28 15:09:16] ERROR[8086]: tcptls.c:179 handle_tcptls_connection: Unable to set up ssl connection with peer '219.75.139.45:63402'
[Aug 28 15:09:16] ERROR[8086]: iostream.c:552 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error

Anybody got a clue what I am doing wrong here?
Your help would be highly appreciated.

Wesley

2

What are you connecting from? Have you accepted the self signed certificate on the client? What happens on the client?

3

I checked the connection with

https://www.websocket.org/echo.html

By the link

wss://[myip]:8089/asterisk/ws

This gives the error; also when I add the link to sip.js it gives the same error.
I bet I’m missing some settings or am I wrong.

I followed the tutorial on asterisk.com about setting up the settings.

Thank you for your answer @jcolp

4

Visit https://[myip]:8089/ in your browser and ensure that the self signed certificate is accepted. If it’s not, then when the browser connects on that page it may not prompt you to accept it - and thus fail.

1 Like
5

@jcolp

It indeed shows an error and the Asterisk certificate is not accepted.

As I understand correct; the self sign certificate of asterisk is not correct.
To use a correct certificate I should get one from a official CA provider like letsencryp for example.

This would fix the issue.
Is this correct?

Thank you for your fast reply

6

I made it work.
It was indeed the SSL certificate.

With the Asterisk process, it doesn’t seem to be a valid certificate.
I have created one with lets-encrypt.

Create certificate

certbot --apache -d {domain}

Copy certificate to asterisk

cat /etc/letsencrypt/live/{domain}/privkey.pem > /etc/asterisk/keys/asterisk.pem
cat /etc/letsencrypt/live/{domain}/fullchain.pem >> /etc/asterisk/keys/asterisk.pem

And connect through

wss://{domain}:8089/asterisk/ws

This seems to work fine.
Thank you jcolp!

1 Like
7

A self signed certificate is just that, self signed. Since it is such then the browser will not automatically trust it like is done for certificates issued by actual authorities. You can still use a self signed certificate but must ensure it is trusted in the browser, which depends on the browser. Using an actual issued certificate however removes that step and is simpler long term.

1 Like
8

Organisations can, and larger ones probably should, become their own certificate issuing authorities.

1 Like
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.