Problem Setting Up Ssl Connection
Hello
I keep getting the following error when trying to connect to the Asterisk server using AMI :
$socket = fsockopen(“tls://11.22.33.44″,”5039”, $errno, $errstr, 5);
Erorr on CLI :
[Oct 26 14:38:19] ERROR[2992]: tcptls.c:609 handle_tcptls_connection:
Problem setting up ssl connection: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
[Oct 26 14:38:19] WARNING[2992]: tcptls.c:684 handle_tcptls_connection:
FILE * open failed!
I have in sip.conf :
tlsenable=yes tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem tlsdontverifyserver=yes tlscipher=ALL
;tlsclientmethod=tlsv2
/etc/asterisk/keys :
-rw——- 1 root root 1,2K okt 26 14:25 asterisk.crt
-rw——- 1 root root 574 okt 26 14:24 asterisk.csr
-rw——- 1 root root 887 okt 26 14:24 asterisk.key
-rw——- 1 root root 2,1K okt 26 14:25 asterisk.pem
-rw——- 1 root root 160 okt 26 14:24 ca.cfg
-rw——- 1 root root 1,8K okt 26 14:24 ca.crt
-rw——- 1 root root 3,3K okt 26 14:24 ca.key
-rw——- 1 root root 123 okt 26 14:24 tmp.cfg
The webserver ( A ) from where I open the socket to tls://11.22.33.44
also has a self-signed certificate.
This problem started when creating a new self-signed cert on webserver A.
Any thoughts ?
Thanks !
Kind regards.
J.
5 thoughts on - Problem Setting Up Ssl Connection
Jonas,
You talk about sip.conf and setting your TLS cert there – but you’re trying to connect to the AMI over TLS – so you need to set this stuff in manager.conf (
https://github.com/asterisk/asterisk/blob/master/configs/samples/manager.conf.sample)
– did you mean manager.conf ?
The error says that it doesn’t understand the Certificate Authority in the cert. The box you’re connecting from shouldn’t affect anything so the issue will be with the CA of the cert – usually you need to add the CA to the cert to complete the chain.
If this is a public box then I’d recommend just using LetsEncrypt – many things don’t like Self Signed Certs now
Dan
Hello Dan
if it is indeed manager.conf that I need to edit then the problem is that I see no param : tlsdontverifyserver=yes
I don’t know how to make the AMI ignore the self-signed certificate.
Kind regards
J.
A comment copied from sip.conf.sample:
“If set to yes, don’t verify the servers certificate when acting as a client.”
With AMI connections asterisk is allways the server.
The client fails to verfify the certificate. Do you use PHP 5.6? The default behavior has changed.
Hello
I use PHP 5.6.27.
So I should be looking inside php.ini ?
Kind regards
J.
Web search: php self signed certificate fsockopen
User contributed notes in [1] or the example in [2]
1) http://php.net/manual/en/function.fsockopen.php
2) http://i.justrealized.com/2009/allowing-self-signed-certificates-for-pfsockopen-and-fsockopen/
I did not test this, but I think it might be usefull.