Tls troubleshooting

SeePost “Errors with tls”

Resolved - Here is what I found.

As rg305 on Lets Encrypt community noted;
The “interesting” part is that it seems that the SIP destination requires the client to present a valid cert.

That said, here is what I tried;
Flagged “DST Root CA X3” as not used in /etc/ca-certificates.conf [it expired]
Replaced “ISG Root X1” with standalone version from LE that does not require “DST Root CA X3”

Still got “certificate expired” failure.
Thanks to a note from a user on I found out that certificates are not normally needed at all on a client, as I thought.
I then commented out the two lines in my pjsip.conf file that specified the certificates. It works!!

A little more sleuthing found a post on Lets Encrypt community that indicates R3 intermediary may have expired and special steps may be needed to update it but since this is a client I’m dropping the matter!

More troubleshooting:
Since was requesting client verification I could not believe something isn’t needed in pjsip.conf despite the fact it appeared to be working. After much trial-and-error and digging I found:

  1. The “priv_key_file” line is not needed if the transport is to be used for outgoing calls only unless the associated server is self-signed [tricky]
  2. The “cert_file” line is not needed unless the server is going to request “client verification”

Both my trunks were clients [outgoing only] so I only had one transport. YMMV if your setup is more complex.

That doesn’t make sense to me. Assuming server means the server for the TLS request, i.e. the provider, and is not using one of the standard CAs, you will need the public key for server, or for one of the CAs in in its CA chain. You will always need your own private key. It would be a fundamental breach of security for you to have theirs.

I’ll buy that. I was referring to the info in the “Secure Calling tutorial” on the wiki. When / where / how do you specify the location of the file when you have 2 Asterisk machines 1 a server, 1 a client and the server is self-signed?

Making progress though, I think. Thanks

When people say self signed, for Asterisk, they generally usually mean using a corporate root CA, rather than a self signed server certificate. If the are really using a self signed server certificate, that should be considered a degenerate case, where the server and the CA are the same.

Client and server are relative to the direction of set up and are not characteristics of the machines, unless their use is very constrained.

You would ideally have a symmetric arrangement, in which you should reverse the roles in the following to get the complete configuration.

In daemon 1, either ca_list_path or ca_list_file would contain the CA certificate for the CA used to sign daemon 2’s server/client certificate. Normal practice for a corporate CA would be that the same one was used to sign all the corporate working certificates.

cert_file would contain daemon 1’s signed certificate, and any intermediate certificates, leading to the CA certificate for the CA used to sign it.

priv_key_file would contain the private key associated with daemon 1’s certificate.

Note that the script provided with Asterisk, that runs on one of the machines running Asterisk, to generate the CA and client/server certificates violates good security practice. Ideally this should be on a dedicated, and well protected, CA machine, used for the organisation. Running it on one of the Asterisk machines,as well as putting the CA private key at risk, breaks the symmetry, and is possibly what is confusing you.

It was a rhetorical question. I don’t ever envision setting one up that way. Thanks

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.