TLS transport not loading when using SELinux

This problem is relevant when you configure Asterisk using the Asterisk: The Definitive Guide, 5th Edition tutorial. When adding the TLS transport to pjsip.conf.

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0
cert_file=/home/asterisk/certs/self-signed.crt
priv_key_file=/home/asterisk/certs/self-signed.key

Next executing command in Asterisk CLI:
module reload res_pjsip.so

The following errors may occur:

[May 28 13:24:07] ERROR[3110]: res_pjsip/config_transport.c:1032 transport_tls_file_handler: Transport: transport-tls: cert_file /home/asterisk/certs/self-signed.crt is either missing or not readable
[May 28 13:24:07] ERROR[3110]: config_options.c:798 aco_process_var: Error parsing cert_file=/home/asterisk/certs/self-signed.crt at line 12 of
[May 28 13:24:07] ERROR[3110]: res_sorcery_config.c:422 sorcery_config_internal_load: Could not create an object of type ‘transport’ with id ‘transport-tls’ from configuration file ‘pjsip.conf’

That is, for some reason the folder with the self-signed certificate for Asterisk was unavailable or the certificate files were unreadable.
If you did everything according to the tutorial, then a little earlier you enabled SELinux, and the usual permissions for actions and the owner should already be in order.
Also, according to the tutorial, we create certificate files in the folder /home/asterisk/certs/. Maybe you did it in another folder by your own choice. But I will show the solution for this folder further.

So we check the SELinux context for the certificate files:
sudo ls -lZ /home/asterisk/certs

Output:

-rwxr-xr-x. root root unconfined_u:object_r:user_home_t:s0 self-signed.crt
-rwxr-xr-x. root root unconfined_u:object_r:user_home_t:s0 self-signed.key

The context is user_home_t, but it should be asterisk_etc_t. My /asterisk folder in the /home directory had the wrong context user_home_t.

Solution
Switch SELinux to permissive:
sudo setenforce 0

Change the context of the /home/asterisk/ directory and all its contents to asterisk_etc_t:
sudo semanage fcontext -a -t asterisk_etc_t "/home/asterisk(/.*)?"
sudo restorecon -Rv /home/asterisk

Enable enforcing:
sudo setenforce 1

Reboot Asterisk
sudo systemctl restart asterisk

Reboot the module in Asterisk CLI
module reload res_pjsip.so

Checking transport
pjsip show transports

I created this topic because I found several similar unanswered questions that are already closed. I think, these users encountered this exact problem.
For example, these topics:

I hope this topic can help those who are learning Asterisk from a Asterisk book and have encountered this problem.

This is one of my next tasks.

It must be a permissions issue I would think. Who is the owner the the home directory? Why are the certs located in the home directory? This doesn’t seem like the correct place to me. Wouldn’t somewhere like /etc/ssl be a better location?

Edit: Apologies, I clearly didn’t read this properly last night. I am wondering how necessary it is to use selinux on asterisk though?

I’d say not at all necessary. SELinux is about security compartments, so it is mainly for systems which are shared by multilple users. Asterisk, itself, is not SELinux aware, so different users of Asterisk won’t be isolated from each other.

I think that SELinux is not the most important part of Asterisk training. I have already worked with the FreePBX system before, providing technical support for it. We usually installed the distribution from the official website. I have never had to interact with SELinux, so I don’t even know if it was installed there. At the same time, I have 4 years of experience in setting up extensions, trunks, complex logic, custom dialplans, IP phones and softphones, integrating CRM systems.
Also, the Asterisk Book does not have comprehensive information on SELinux, so you need to study it yourself using other tutorials.
But the Asterisk Book does include SELinux in the Installation section, and it will be difficult for a complete newbie in Asterisk to figure out what needs to be studied first and what second. And a Asterisk newbie may stop progressing in training because of this. I hope my experience will help them.

@david551 I agree with you

I am an asterisk noob myself and I am only really playing with asterisk because FreePBX switched from Centos to Debian and there are now official Debian packages available from Sangoma.

As this is the case I would suggest that a noob may be better using Debian with the official Asterisk package from Sangoma.

This will be simpler than trying to install from source and updating Asterisk will also be easier. You won’t have to worry about SELinux breaking things either, as people almost never install it on Debian (it’s mainly RHEL based system that work with SELinux).

Creating an iptables script, securing ssh and looking into something like fail2ban would probably be more effective than using SELinux. However, I am an Asterisk noob so other people may well disagree!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.