[SOLVED] AMI with TLS: Connection refused

Hi,
I have been using the same process to configure TLS on AMI since Asterisk 11, now on Asterisk 20 I am getting this error when I try to connect through port 5039:

openssl s_client -connect 172.16.1.167:5039

140595437129792:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:108:
140595437129792:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:109:
connect:errno=111

I can connect without a problem on the port 5038, here is how I configured my manager.conf.

[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0
tlsenable=yes
tlsbindaddr=0.0.0.0:5039
tlscertfile=/etc/asterisk/keys/asterisk.crt
tlsprivatekey=/etc/asterisk/keys/asterisk.key

I am using Debian 11 and Asterisk 20.1.0

I have no idea where is the problem.
Do I missing something on the configuration?

I found the problem.

I upgraded from Asterisk 16 to Asterisk 20 and keeped the keys.

I generate new certificates using ast_tls_cert:

contrib/scripts/ast_tls_cert -C pbx1.mycompany.local -O "My Company" -d /etc/asterisk/keys
chmod 600 /etc/asterisk/keys/*.*

Restarted Asterisk and now is working again.

For some reason the old keys generate on Asterisk 16 aren’t compatible with Asterisk 20.

1 Like

For what it’s worth, I did a diff of the ast_tls_cert script between two different versions of the Debian package for Asterisk (one for Asterisk 16.x, the other for Asterisk 20), and this is all I found:

ldo@theon:asterisk-debian> diff -u asterisk-*/contrib/scripts/ast_tls_cert
--- asterisk-16.15.0~dfsg/contrib/scripts/ast_tls_cert  2020-11-20 01:34:40.000000000 +1300
+++ asterisk-20.0.0~dfsg+~cs6.12.40431414/contrib/scripts/ast_tls_cert  2022-10-20 03:31:39.000000000 +1300
@@ -49,7 +49,7 @@
 create_cert () {
        local base=${OUTPUT_DIR}/${OUTPUT_BASE}
        echo "Creating certificate ${base}.key"
-       openssl genrsa -out ${base}.key ${KEYBITS:-1024} > /dev/null
+       openssl genrsa -out ${base}.key ${KEYBITS:-2048} > /dev/null
        if [ $? -ne 0 ];
        then
                echo "Failed"
@@ -87,7 +87,7 @@
   -f  Config filename (openssl config file format)
   -c  CA cert filename (creates new CA cert/key as ca.crt/ca.key if not passed)
   -k  CA key filename
-  -b  The desired size of the private key in bits. Default is 1024.
+  -b  The desired size of the private key in bits. Default is 2048.
   -C  Common name (cert field)
         This should be the fully qualified domain name or IP address for
         the client or server. Make sure your certs have unique common

So the only change is in key length.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.