Hello,
I’m a beginner to Asterisk and recently set up a simple PBX with UDP transport and PJSIP configuration successfully. Now I’m attempting to switch over to TLS transport and am having some issues with doing so.
After following through the first half (about TLS transport) of the Asterisk Wiki tutorial found here, I reloaded the PJSIP, fixed some minor errors that popped up, reloaded again and found one error still persisting. After reloading the entire service, it still was showing up.
Here’s the error: [May 11 10:32:33] WARNING[4134]: pjproject: <?>: SSL STATUS_FROM_SSL_ERR (status): Level: 0 err: <336245135> <SSL routines-SSL_CTX_use_certificate-ee key too small> len: 0 peer: 192.168.2.129:51644 [May 11 10:32:33] ERROR[4134]: pjproject: <?>: ssl0x5612898e9250 Error loading certificate chain file '/etc/asterisk/keys/asterisk.crt': ee key too small
I’ve tried deleting all my certification keys and recreating them using the same methods show on the website, but to no avail. I’ve also double-checked to make sure all the appropriate files were created in the keys folder.
I wasn’t sure exactly what would be necessary to see, so I’ve provided everything I think possibly could be necessary, all below, labeled with bold titles.
Thank you for taking the time to help me puzzle through this issue!
Contents of my pjsip.conf file:
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1
[karishbenkal]
type=aor
max_contacts=1
remove_existing=yes
[karishbenkal]
type=auth
auth_type=userpass
username=karishbenkal
password=1234
[karishbenkal]
type=endpoint
aors=karishbenkal
auth=karishbenkal
context=local
disallow=all
allow=g722
dtmf_mode=rfc4733
media_encryption=sdes
Initial certification file creation and output.
root@ubuntu:/usr/src/asterisk-17.4.0/contrib/scripts# ./ast_tls_cert -C 198.168.2.188 -O "CN Test" -d /etc/asterisk/keys
No config file specified, creating '/etc/asterisk/keys/tmp.cfg'
You can use this config file to create additional certs without
re-entering the information for the fields in the certificate
Creating CA key /etc/asterisk/keys/ca.key
Generating RSA private key, 4096 bit long modulus (2 primes)
...............................................................++++
..................................................................................................++++
e is 65537 (0x010001)
Enter pass phrase for /etc/asterisk/keys/ca.key:
Verifying - Enter pass phrase for /etc/asterisk/keys/ca.key:
Creating CA certificate /etc/asterisk/keys/ca.crt
Enter pass phrase for /etc/asterisk/keys/ca.key:
Creating certificate /etc/asterisk/keys/asterisk.key
Generating RSA private key, 1024 bit long modulus (2 primes)
.....+++++
........+++++
e is 65537 (0x010001)
Creating signing request /etc/asterisk/keys/asterisk.csr
Creating certificate /etc/asterisk/keys/asterisk.crt
Signature ok
subject=CN = 198.168.2.188, O = CN Test
Getting CA Private Key
Enter pass phrase for /etc/asterisk/keys/ca.key:
Combining key and crt into /etc/asterisk/keys/asterisk.pem
root@ubuntu:/usr/src/asterisk-17.4.0/contrib/scripts#
Client Certificate Creation and Output
root@ubuntu:/usr/src/asterisk-17.4.0/contrib/scripts# ./ast_tls_cert -m client -c /etroot@ubuntu:/usr/src/asterisk-17.4.0/contrib/scripts# ./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 198.168.2.188 -O "CN Test" -d /etc/asterisk/keys -o karish
No config file specified, creating '/etc/asterisk/keys/tmp.cfg'
You can use this config file to create additional certs without
re-entering the information for the fields in the certificate
Creating certificate /etc/asterisk/keys/karish.key
Generating RSA private key, 1024 bit long modulus (2 primes)
........................................+++++
..+++++
e is 65537 (0x010001)
Creating signing request /etc/asterisk/keys/karish.csr
Creating certificate /etc/asterisk/keys/karish.crt
Signature ok
subject=CN = 198.168.2.188, O = CN Test
Getting CA Private Key
Enter pass phrase for /etc/asterisk/keys/ca.key:
Combining key and crt into /etc/asterisk/keys/karish.pem
Blink Preferences
Network/SIP Settings
TLS Cert File Settings
TLS Port Settings
Codec Settings
And I am certain that my username and password match the pjsip.conf file.