Hello I keep getting the following error when trying to connect to the Asterisk server using AMI : $socket = fsockopen("tls://11.22.33.44","5039", $errno, $errstr, 5); Erorr on CLI : [Oct 26 14:38:19] ERROR[2992]: tcptls.c:609 handle_tcptls_connection: Problem setting up ssl connection: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca [Oct 26 14:38:19] WARNING[2992]: tcptls.c:684 handle_tcptls_connection: FILE * open failed! I have in sip.conf : tlsenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/keys/asterisk.pem tlsdontverifyserver=yes tlscipher=ALL ;tlsclientmethod=tlsv2 /etc/asterisk/keys : -rw------- 1 root root 1,2K okt 26 14:25 asterisk.crt -rw------- 1 root root 574 okt 26 14:24 asterisk.csr -rw------- 1 root root 887 okt 26 14:24 asterisk.key -rw------- 1 root root 2,1K okt 26 14:25 asterisk.pem -rw------- 1 root root 160 okt 26 14:24 ca.cfg -rw------- 1 root root 1,8K okt 26 14:24 ca.crt -rw------- 1 root root 3,3K okt 26 14:24 ca.key -rw------- 1 root root 123 okt 26 14:24 tmp.cfg The webserver ( A ) from where I open the socket to tls://11.22.33.44 also has a self-signed certificate. This problem started when creating a new self-signed cert on webserver A. Any thoughts ? Thanks ! Kind regards. J. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20161026/e5dc9304/attachment.html>
On Wed, Oct 26, 2016 at 1:46 PM, Jonas Kellens <jonas.kellens at telenet.be> wrote:> Hello > > > I keep getting the following error when trying to connect to the Asterisk > server using AMI : > > $socket = fsockopen("tls://11.22.33.44","5039", $errno, $errstr, 5); > > Erorr on CLI : > > [Oct 26 14:38:19] ERROR[2992]: tcptls.c:609 handle_tcptls_connection: > Problem setting up ssl connection: error:14094418:SSL > routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > [Oct 26 14:38:19] WARNING[2992]: tcptls.c:684 handle_tcptls_connection: > FILE * open failed! > > I have in sip.conf : > > tlsenable=yes > tlsbindaddr=0.0.0.0 > > tlscertfile=/etc/asterisk/keys/asterisk.pem > tlsdontverifyserver=yes > tlscipher=ALL > ;tlsclientmethod=tlsv2 > > /etc/asterisk/keys : > > -rw------- 1 root root 1,2K okt 26 14:25 asterisk.crt > -rw------- 1 root root 574 okt 26 14:24 asterisk.csr > -rw------- 1 root root 887 okt 26 14:24 asterisk.key > -rw------- 1 root root 2,1K okt 26 14:25 asterisk.pem > -rw------- 1 root root 160 okt 26 14:24 ca.cfg > -rw------- 1 root root 1,8K okt 26 14:24 ca.crt > -rw------- 1 root root 3,3K okt 26 14:24 ca.key > -rw------- 1 root root 123 okt 26 14:24 tmp.cfg > > > The webserver ( A ) from where I open the socket to tls://11.22.33.44 > also has a self-signed certificate. > > This problem started when creating a new self-signed cert on webserver A. > > > > > Any thoughts ? > > > Thanks ! > > > Kind regards. > > > J. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk. > org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-usersJonas, You talk about sip.conf and setting your TLS cert there - but you're trying to connect to the AMI over TLS - so you need to set this stuff in manager.conf ( https://github.com/asterisk/asterisk/blob/master/configs/samples/manager.conf.sample) - did you mean manager.conf ? The error says that it doesn't understand the Certificate Authority in the cert. The box you're connecting from shouldn't affect anything so the issue will be with the CA of the cert - usually you need to add the CA to the cert to complete the chain. If this is a public box then I'd recommend just using LetsEncrypt - many things don't like Self Signed Certs now Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20161026/9840c50f/attachment-0001.html>
On 26-10-16 15:03, Dan Jenkins wrote:> > > On Wed, Oct 26, 2016 at 1:46 PM, Jonas Kellens > <jonas.kellens at telenet.be <mailto:jonas.kellens at telenet.be>> wrote: > > Hello > > > I keep getting the following error when trying to connect to the > Asterisk server using AMI : > > $socket = fsockopen("tls://11.22.33.44 > <http://11.22.33.44>","5039", $errno, $errstr, 5); > > Erorr on CLI : > > [Oct 26 14:38:19] ERROR[2992]: tcptls.c:609 > handle_tcptls_connection: Problem setting up ssl connection: > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > [Oct 26 14:38:19] WARNING[2992]: tcptls.c:684 > handle_tcptls_connection: FILE * open failed! > > I have in sip.conf : > > tlsenable=yes > tlsbindaddr=0.0.0.0 > > tlscertfile=/etc/asterisk/keys/asterisk.pem > tlsdontverifyserver=yes > tlscipher=ALL > ;tlsclientmethod=tlsv2 > > /etc/asterisk/keys : > > -rw------- 1 root root 1,2K okt 26 14:25 asterisk.crt > -rw------- 1 root root 574 okt 26 14:24 asterisk.csr > -rw------- 1 root root 887 okt 26 14:24 asterisk.key > -rw------- 1 root root 2,1K okt 26 14:25 asterisk.pem > -rw------- 1 root root 160 okt 26 14:24 ca.cfg > -rw------- 1 root root 1,8K okt 26 14:24 ca.crt > -rw------- 1 root root 3,3K okt 26 14:24 ca.key > -rw------- 1 root root 123 okt 26 14:24 tmp.cfg > > > The webserver ( A ) from where I open the socket to > tls://11.22.33.44 <http://11.22.33.44> also has a self-signed > certificate. > > This problem started when creating a new self-signed cert on > webserver A. > > > > > Any thoughts ? > > > Thanks ! > > > Kind regards. > > > J. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ <https://community.asterisk.org/> > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > <https://wiki.asterisk.org/wiki/display/AST/Getting+Started> > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > <http://lists.digium.com/mailman/listinfo/asterisk-users> > > > Jonas, > > You talk about sip.conf and setting your TLS cert there - but you're > trying to connect to the AMI over TLS - so you need to set this stuff > in manager.conf > (https://github.com/asterisk/asterisk/blob/master/configs/samples/manager.conf.sample) > - did you mean manager.conf ? > > The error says that it doesn't understand the Certificate Authority in > the cert. The box you're connecting from shouldn't affect anything so > the issue will be with the CA of the cert - usually you need to add > the CA to the cert to complete the chain. > > If this is a public box then I'd recommend just using LetsEncrypt - > many things don't like Self Signed Certs now > > Dan >Hello Dan if it is indeed manager.conf that I need to edit then the problem is that I see no param : tlsdontverifyserver=yes I don't know how to make the AMI ignore the self-signed certificate. Kind regards J. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20161026/86830daa/attachment.html>