Stir/Shaken: Cert not trusted: unable to get local issuer certificate

Hello,

I’m trying to get my first Stir/Shaken compliant incoming calls on a 20.7.0 instance.

When a call comes in, I’ve got the following (anonymized) output:
Cert ‘https://foo.com/bar.cer’ not trusted: unable to get local issuer certificate

I should add I have a very superficial understanding and practice of certificate and I may easily make noob mistakes.

During this failure, I could capture traffic. With Wireshark, I saw my machine downloaded something from foo.com domain.
On the same box, I could successfully run
cd /tmp
wget https://foo.com/bar.cer
file bar.cer
bar.cer: PEM certificate

What shall I do next ?

Best regards

Where did you get the cert? STIR/SHAKEN certs aren’t cheap and have to be issued by an authorized provider. Last I looked this was not something most people could remotely do.

You need to get the CA certificate that issued bar.cer and add that file to your stir_shaken.conf file under “verification”, “ca_file”. If you need to specify multiple CA certificates, place the certificates in a directory, run c_rehash in that directory, then add that directory to the “ca_path” parameter.

You only need to obtain a certificate when attesting to outbound calls. This particular case is for verification of inbound calls.

cd /tmp
openssl verify bar.cer
CN = SHAKEN FOOBAR, O = XXXX, C = FR
error 20 at 0 depth lookup: unable to get local issuer certificate
error bar.cer: verification failed

@gjoseph
Shall I understand that ca_file and ca_path settins are exclusive:
either you specify a single file or a whole directory ?

No, you can actually specify both. The certificate specified in ca_file and all the certificates in ca_path are combined into one list when verification is done.

In France you have to check against a centralized DB that the inbound call is signed by the right certificat. They use STIR/PASSporT with SHAKEN extension and call it MAN.

@tootai
How do you “check against a centralized DB that the inbound call is signed by the right certificate” ?

It seems to me that:

  1. Asterisk already downloads the certificate which is pointed to by Identity header and somehow verify it

  2. this is done independently of any dialplan statement if the related endpoint “stir_shaken_profile” specifies verification is required (endpoint_behavior=on or verify)

@gjoseph
Is it achievable yes or no, to do the following:

save the certificate which is pointed to by an Identity header of an incoming Stir/Shaken call, into a file
copy the file an other box on which OpenSSL is installed
download some other certificates, keys, whatever
issue an appropriate OpenSSL command that would print “the certificate is OK”

This DB is from FFT/Arcep where you bought your certificats

Asterisk already uses OpenSSL to verify the certificate. If you don’t have the CA certificate that issued the received certificate then it won’t verify no matter how you do it. The CAs certs are usually NOT in system certificate store so you have to get it from whoever sent you the call. If you want to examine the certificate retrieved from the URL in the Identity header yourself, they’re cached in /var/lib/asterisk/keys/stir_shaken. There’s nothing secret about the certificates so you can run openssl x509 -in <certfile> -text and post the result here.

I’ve got the following files:
root.cer is a self-signed root cert
intermed.cer is an intermediate cert issued by foo.root
itsp.cer is a cert issued by intermed.root

On a Linux host, without touching /etc/ssl directory or alternatives, I’ve got

openssl verify -CAfile root.cer -untrusted intermed.cer itsp.cer

itsp.cer: OK

Where shall I copy these 3 *.cer files in Asterisk host to to get a successful Stir Shaken incoming call.
Currently, I’ve got:
Cert ‘https://example.com/itsp.cer’ not trusted: unable to get local issuer certificate

and this itsp.cer file is not copied into /var/lib/asterisk/keys/stir_shaken or its cache subdirectory.

You need to copy root.cer and intermed.cer into a new directory by themselves. The location doesn’t matter as long asterisk has access to it. Once copied, you need to run the following…

cd <new directory>
openssl rehash .

Then in the verification section of stir_shaken.conf, set …

ca_path = <new directory>

Typing c_rehash . allowed the first successful incoming call.
Thank you very much for all !