[solved] SIP/TLS certificate error

Asterisk Asterisk Support
1

I am trying to setup secure calling via TLS. I’m following this secure calling tutorial: http://www.eisic.eu/program.aspx, but I get a certificate error in the asterisk logs.

Summary of what I did:

  1. create the keys
  2. configure asterisk to use them (sip.conf)
  3. start asterisk

After doing this, Asterisk says:

UPDATE: I finally managed to get “certificate ok” by following these instructions: http://www.remiphilippe.fr/2010/05/30/sips-on-asterisk-sip-security-with-tls/. Is the ast_tls_cert script not working?

Now the details…

distro: ubuntu 12.10
asterisk version: 1:1.8.13.1~dfsg-1ubuntu2
revision of ast_tls_cert script: svn r393284 [update: the same happens when using svn tag 1.8.13.1 http://svn.asterisk.org/svn/asterisk/tags/1.8.13.1/]

  1. creating the keys
$ mkdir /etc/asterisk/keys
$ /home/wb/workspace/asterisk//contrib/scripts/ast_tls_cert -C sip.example.com -O example.com -d /etc/asterisk/keys

No config file specified, creating '/etc/asterisk/keys/tmp.cfg'
You can use this config file to create additional certs without
re-entering the information for the fields in the certificate
Creating CA key /etc/asterisk/keys/ca.key
Generating RSA private key, 4096 bit long modulus
................................................................................................................................................................................++
...++
e is 65537 (0x10001)
Enter pass phrase for /etc/asterisk/keys/ca.key:
Verifying - Enter pass phrase for /etc/asterisk/keys/ca.key:
Creating CA certificate /etc/asterisk/keys/ca.crt
Enter pass phrase for /etc/asterisk/keys/ca.key:
Creating certificate /etc/asterisk/keys/asterisk.key
Generating RSA private key, 1024 bit long modulus
......................++++++
................................................++++++
e is 65537 (0x10001)
Creating signing request /etc/asterisk/keys/asterisk.csr
Creating certificate /etc/asterisk/keys/asterisk.crt
Signature ok
subject=/CN=sip.2084.eu/O=2084.eu
Getting CA Private Key
Enter pass phrase for /etc/asterisk/keys/ca.key:
Combining key and crt into /etc/asterisk/keys/asterisk.pem
  1. configure asterisk with a minimal sip.conf
[general]
context=default

tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1
  1. start asterisk

Now the log shows this:

[...]
[Jul  1 16:24:16] VERBOSE[9936] chan_sip.c: SIP channel loading...
[Jul  1 16:24:16] VERBOSE[9936] tcptls.c: SSL error loading cert file. </etc/asterisk/keys/asterisk.pem>
[...]

The log level is VERBOSE, but it looks like an error. However, the certificate seems fine:

$ openssl verify -CAfile /etc/asterisk/keys/ca.crt /etc/asterisk/keys/asterisk.pem
/etc/asterisk/keys/asterisk.pem: OK

What did I do wrong? Help would be much appreciated.

2

Problem solved by creating the certificates manually using OpenSSL instead of using the asterisk provided helper script ast_tls_cert. Apparently the script didn’t produce a certificate that could be read by asterisk. I finally managed to get “certificate ok” by following these instructions: remiphilippe.fr/2010/05/30/s … -with-tls/

3

I hope the moderators will forgive this necro post, my 1st post here no less :astonished: . I do it in order to save other surfers the time I spent on the same issue.
After comparing line by line the instructions referred to by the OP, I found only one slight difference in one command. And that did not solve the problem. In fact, the instructions are so identical to the commands in ast_tls_cert that it appears one or the other referenced each other.
What did make a difference was ownership of the keys. It’s not really discussed, but probably most, including myself, generate them as root user. But on my system at least, asterisk runs as user asterisk. So I got that error as it couldn’t access the keys owned by root. After changing ownership to asterisk it works just as the wiki says. Incidentally, I left /etc/asterisk/keys owned as root, it didn’t seem to care about that.