Res_calendar & LetsEncrypt
Everybody,
For a while now, I’ve had a small home Asterisk setup to connect to my Zimbra mail server’s calendar. Making an entry on the calendar would cause Asterisk to schedule a wakeup call at the time of the calendar entry.
The Zimbra mail server uses LetsEncrypt for the SSL Certs and renews every 60 days. On the Asterisk side of things, if I do not restart the Asterisk process, the logs get spammed with the below and the wakeup call never occurs:
[Dec 24 07:48:46] WARNING[10679] res_calendar_caldav.c: Unknown response to CalDAV calendar calendar.name.here, request REPORT to
/dav/username/Calendar: Server certificate changed: connection intercepted?
Would this be considered a bug, or do I have something setup incorrectly?
Asterisk version: 13.29.2
OS: Debian GNU/Linux 7.11 (wheezy)
Zimbra OSE 8.8.11 P4
Thanks!
Doug
3 thoughts on - Res_calendar & LetsEncrypt
Doug Lytle writes:
My guess is bug.
Generally, one validates server certificates starting from a list of acceptable configured CA certificates, called trust anchors.
Perhaps because people often used to use self-signed certicates (before Let’s Encrypt), and perhaps because of general paranoia (not a bad thing), there is a notion of certificate pinning.
However, it strikes me that if implemented, the pinning would be persistent.
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
Have you done anything in the asterisk config to control certificate validation?
I would suggest reading the res_calendar_caldav sources to see if there is some attempt to store certificates and compare.
—
This error message comes from neon and was removed in r1938 back in 2014[1]:
src/ne_openssl.c (ne__negotiate_ssl): Don’t fail hard for SSL cert change, invoke verify callback.
For better or worse, Asterisk’s verify callback allows all certificates, so this doesn’t appear to be an Asterisk bug. You should probably try to find a newer version of neon for your distribution.
Kind regards, Sean
[1]
http://lists.manyfish.co.uk/pipermail/neon-commits/2014-September/001001.html
Thanks guys for the input!
Just another reason to upgrade that to Debian Buster.
Doug