SSL certificate error

Asterisk Asterisk WebRTC
1

I have configured a webrtc connection with SSL. I have created a certificate with openssl

 openssl req -new -x509 -days 365 -nodes -out asterisk.pem -keyout asterisk.pem

I have copied to certificate to asterisk and to my local browser.

the webclient with openhab from my notebook can perform the call.

But I get the error when calling the webpage from my mobile phone

[Aug 28 17:12:48] ERROR[127128]: iostream.c:663 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0)::reason(1), Internal SSL error
[Aug 28 17:12:48] ERROR[127128]: tcptls.c:179 handle_tcptls_connection: Unable to set up ssl connection with peer '192.168.2.139:40282'
[Aug 28 17:12:48] ERROR[127128]: iostream.c:563 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0)::reason(1), Internal SSL error

I can not work with the openhab webpage from the mobile phone any more

the mobile says

the app doesn't support self signed SSL certificates

Issued to :

1.2.840 ....

How can I create a ssl certificate which works on my local notebook and on my mobile, which both call and use the same webpage

2

This creates a signing request, to be sent to your trusted third party, not a certificate. The TTP will provide the certificate. Also using the same name for two outputs, isn’t going to work well. Even if both get written, you should never have a clear text private key in the same file as a certificate, or in what you send to a TTP.

Asterisk does include scripts for generating enterprise level CAs, although they don’t follow best practice on key safety. Note that, although people talk about self signed certificates, the only self signed ones, with these, are the CA ones, not the ones that get used by clients.

I haven’t analysed your certificate sharing requirements, although I note that VoIP systems are often configured to be rather lax on authentication, even though that is why certificates exist.

3

I have used the contrib/ast_tls_cert script to generate a certificate.

I use the certificate in openhab. I have created a SIP widget, which connects to asterisk by websocket

wss://asterisk-ip/asterisk/ws

But I get in asterisk the error

[Sep  1 16:34:15] ERROR[26396]: iostream.c:663 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0)::reason(1), Internal SSL error
[Sep  1 16:34:15] ERROR[26396]: tcptls.c:179 handle_tcptls_connection: Unable to set up ssl connection with peer '192.168.2.151:39622'
[Sep  1 16:34:15] ERROR[26396]: iostream.c:563 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0)::reason(1), Internal SSL error

now from every client connecting

  • web client on the notebook : Google-Chrom with the openhab application

https:/home.myopenhab.org/overview

  • android mobile phone

in the mobile I have additionally the error

this app doesn’t support self-signed SSL certificates for web-widgets

what shall I do now ? I don’t have an official home page, and so I can not use let’s encrypt and certbot

4

This is going to be a niche topic, and is more openhab, than Asterisk, but you will be very lucky to find anyone with knowledge of openhab, here.

The messages about self signed is either misleading, or you have installed the wrong certificate. There are two certificates associated with Asterisk, a CA one, which is self signed (all root certificates are self signed, even those from commercial CAs), and the certificate for Asterisk itself. Whilst “self signed” is often misused to refer to certificates signed by an enterprise CA, this is never self signed, if you ran the creation process correctly.

I don’t know enough about openhab to validate https://community.openhab.org/t/setting-up-openhab-and-influxdb-to-use-privately-signed-certificates-for-https-access-using-openssl/163571 but it sounds like this is discussing how to fix this at the openhab end.

LetsEncrypt doesn’t require that you have a web server, it can also validate based on proof that you control the DNS for your domain name.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.