First I thought it was a permissions issue, but I don’t get a FILE open fail or something like that. With the OpenSSL certificate, then crt file works, but then it complains about the key file.
So this is what I have:
I get this error : TLS/SSL error loading cert file. </etc/asterisk/cert/asterisk.pem>
The pem file is a combination of the Cert and key.
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDNSxLpoW2rP9Yv1pjirXdk1Fn1pL7mPVh07eJrLPceZLpEaAhB
…
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDTzCCATcCAQEwDQYJKoZIhvcNAQELBQAwNTEcMBoGA1UEAwwTQXN0ZXJpc2sg
…
-----END CERTIFICATE-----
openssl verify the certificate.
I’ve tried different ways in http.conf
tlscertfile=/etc/asterisk/cert/asterisk.pem ; path to the certificate file (.pem) only.
and
tlscertfile=/etc/asterisk/cert/ca.crt ; path to the certificate file (.pem) only.
tlsprivatekey=/etc/asterisk/cert/key.pem ; path to private key file (*.pem) only.
but nothing seems to work. The funny part is that I’ve set this up on my Linux on Windows instance literally in 2 min, doing what the tutorial say, but I can’t get it to work on a physical Linux box.
Do I miss something to enable something that prohibit self signed certificates?
I’m running Debian 10, Asterisk 16.5
Is there something I can check, logs I can give (I’m not 100% fluent in Linux, so please help me with what logs and where, or command I need to run to get what you need). It is very frustrating, and I’m getting gray hair with this already. Seriously.
Use only the tlscertfile parameter. No tlsprivatekey. tlscertfile=/etc/asterisk/cert/asterisk.pem
Now make sure that the user that asterisk is running as has rw access to the file and directory.
For instance, if asterisk is running under the user “asterisk” and you get “Permission denied”, you’ll need to adjust the permissions.
I’m running Asterisk as root. So I basically login with SSH, type in
$ sudo asterisk
$ sudo asterisk -crvvvv
It obviously ask me for the password again if I have not typed it in. The user asterisk does not exist at this moment, but I can sort that out later. All I want is for this certificate to load. I changed the htts.conf to only use tlscertfile.
When I verified the certificate it failed, so I added it to /usr/local/share/ca-certificates and executed
$ update-ca-certificates
now when I do a
$ openssl verify /etc/asterisk/cert/asterisk.pem
/etc/asterisk/cert/asterisk.pem: OK
from a normal user as well as root. But I still don’t have any luck with asterisk.
[general]
servername=Asterisk
enabled=yes
bindaddr=0.0.0.0
;bindport=8088
tlsenable=yes ; enable tls - default no.
tlsbindaddr=0.0.0.0:8089 ; address and port to bind to - default is bindaddr and port 8089.
tlscertfile=/etc/asterisk/cert/asterisk.pem ; path to the certificate file (*.pem) only.
;tlsprivatekey=</path/to/private.pem> ; path to private key file (*.pem) only.