I am trying to setup secure calling via TLS. I’m following this secure calling tutorial: http://www.eisic.eu/program.aspx, but I get a certificate error in the asterisk logs.
Summary of what I did:
- create the keys
- configure asterisk to use them (sip.conf)
- start asterisk
After doing this, Asterisk says:
UPDATE: I finally managed to get “certificate ok” by following these instructions: http://www.remiphilippe.fr/2010/05/30/sips-on-asterisk-sip-security-with-tls/. Is the ast_tls_cert script not working?
Now the details…
distro: ubuntu 12.10
asterisk version: 1:1.8.13.1~dfsg-1ubuntu2
revision of ast_tls_cert script: svn r393284 [update: the same happens when using svn tag 1.8.13.1 http://svn.asterisk.org/svn/asterisk/tags/1.8.13.1/]
- creating the keys
$ mkdir /etc/asterisk/keys
$ /home/wb/workspace/asterisk//contrib/scripts/ast_tls_cert -C sip.example.com -O example.com -d /etc/asterisk/keys
No config file specified, creating '/etc/asterisk/keys/tmp.cfg'
You can use this config file to create additional certs without
re-entering the information for the fields in the certificate
Creating CA key /etc/asterisk/keys/ca.key
Generating RSA private key, 4096 bit long modulus
................................................................................................................................................................................++
...++
e is 65537 (0x10001)
Enter pass phrase for /etc/asterisk/keys/ca.key:
Verifying - Enter pass phrase for /etc/asterisk/keys/ca.key:
Creating CA certificate /etc/asterisk/keys/ca.crt
Enter pass phrase for /etc/asterisk/keys/ca.key:
Creating certificate /etc/asterisk/keys/asterisk.key
Generating RSA private key, 1024 bit long modulus
......................++++++
................................................++++++
e is 65537 (0x10001)
Creating signing request /etc/asterisk/keys/asterisk.csr
Creating certificate /etc/asterisk/keys/asterisk.crt
Signature ok
subject=/CN=sip.2084.eu/O=2084.eu
Getting CA Private Key
Enter pass phrase for /etc/asterisk/keys/ca.key:
Combining key and crt into /etc/asterisk/keys/asterisk.pem
- configure asterisk with a minimal sip.conf
[general]
context=default
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1
- start asterisk
Now the log shows this:
[...]
[Jul 1 16:24:16] VERBOSE[9936] chan_sip.c: SIP channel loading...
[Jul 1 16:24:16] VERBOSE[9936] tcptls.c: SSL error loading cert file. </etc/asterisk/keys/asterisk.pem>
[...]
The log level is VERBOSE, but it looks like an error. However, the certificate seems fine:
$ openssl verify -CAfile /etc/asterisk/keys/ca.crt /etc/asterisk/keys/asterisk.pem
/etc/asterisk/keys/asterisk.pem: OK
What did I do wrong? Help would be much appreciated.