Websocket TLS certificate gives error

I’ve been struggeling for days now getting a self signed certificate to load on asterisk. I’ve used 2 different ways of creating the certificate (openssl as per http://remiphilippe.fr/sips-on-asterisk-sip-security-with-tls/ and https://wiki.asterisk.org/wiki/pages/viewpage.action?pageId=40818097)

First I thought it was a permissions issue, but I don’t get a FILE open fail or something like that. With the OpenSSL certificate, then crt file works, but then it complains about the key file.

So this is what I have:
I get this error : TLS/SSL error loading cert file. </etc/asterisk/cert/asterisk.pem>
The pem file is a combination of the Cert and key.
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDNSxLpoW2rP9Yv1pjirXdk1Fn1pL7mPVh07eJrLPceZLpEaAhB

-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDTzCCATcCAQEwDQYJKoZIhvcNAQELBQAwNTEcMBoGA1UEAwwTQXN0ZXJpc2sg

-----END CERTIFICATE-----

openssl verify the certificate.

I’ve tried different ways in http.conf
tlscertfile=/etc/asterisk/cert/asterisk.pem ; path to the certificate file (.pem) only.
and
tlscertfile=/etc/asterisk/cert/ca.crt ; path to the certificate file (
.pem) only.
tlsprivatekey=/etc/asterisk/cert/key.pem ; path to private key file (*.pem) only.

but nothing seems to work. The funny part is that I’ve set this up on my Linux on Windows instance literally in 2 min, doing what the tutorial say, but I can’t get it to work on a physical Linux box.

Do I miss something to enable something that prohibit self signed certificates?

I’m running Debian 10, Asterisk 16.5
Is there something I can check, logs I can give (I’m not 100% fluent in Linux, so please help me with what logs and where, or command I need to run to get what you need). It is very frustrating, and I’m getting gray hair with this already. Seriously.

Dumb question but are you sure your files are in /etc/asterisk/cert and not /etc/asterisk/keys?

I moved it specifically to cert, because I thought that keys had a permission problem.

I reinstalled now with 16.5.1, but still have the exact same problem. it does not make sense at all why this does not work.

Use only the tlscertfile parameter. No tlsprivatekey.
tlscertfile=/etc/asterisk/cert/asterisk.pem
Now make sure that the user that asterisk is running as has rw access to the file and directory.

For instance, if asterisk is running under the user “asterisk” and you get “Permission denied”, you’ll need to adjust the permissions.

$ sudo -u asterisk cat /etc/asterisk/cert/asterisk.pem
cat: /etc/asterisk/cert/asterisk.pem: Permission denied

I’m running Asterisk as root. So I basically login with SSH, type in

$ sudo asterisk
$ sudo asterisk -crvvvv

It obviously ask me for the password again if I have not typed it in. The user asterisk does not exist at this moment, but I can sort that out later. All I want is for this certificate to load. I changed the htts.conf to only use tlscertfile.

When I verified the certificate it failed, so I added it to /usr/local/share/ca-certificates and executed

$ update-ca-certificates

now when I do a

$ openssl verify /etc/asterisk/cert/asterisk.pem
/etc/asterisk/cert/asterisk.pem: OK

from a normal user as well as root. But I still don’t have any luck with asterisk.

ERROR[31448] tcptls.c: TLS/SSL error loading cert file. </etc/asterisk/cert/asterisk.pem>

This is basically my http.conf file atm

[general]
servername=Asterisk
enabled=yes
bindaddr=0.0.0.0
;bindport=8088

tlsenable=yes          ; enable tls - default no.
tlsbindaddr=0.0.0.0:8089    ; address and port to bind to - default is bindaddr and port 8089.
tlscertfile=/etc/asterisk/cert/asterisk.pem  ; path to the certificate file (*.pem) only.
;tlsprivatekey=</path/to/private.pem>    ; path to private key file (*.pem) only.

This is driving me crazy :frowning:

Ok, don’t know why. But I got it to work. I used the command that the specify in the http.conf file

openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem

and changed the folder to /etc/asterisk/cert. My file is named foo.pem now, but it works. We need to get a proper certificate anyway.

The following steps did not generate a proper certificate. I tried both

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

openssl genrsa -out key.pem 1024
openssl req -new -key foo.pem -out foo.csr
openssl x509 -req -days 365 -in foo.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out foo.crt

and

ast_tls_cert -C Asterisk -O "MyPBX" -d /etc/asterisk/cert/

Anyway. Thanks for the response. I’m not sure why these steps does not work.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.