On 26-10-16 15:03, Dan Jenkins wrote:>
>
> On Wed, Oct 26, 2016 at 1:46 PM, Jonas Kellens
> <jonas.kellens at telenet.be <mailto:jonas.kellens at
telenet.be>> wrote:
>
> Hello
>
>
> I keep getting the following error when trying to connect to the
> Asterisk server using AMI :
>
> $socket = fsockopen("tls://11.22.33.44
> <http://11.22.33.44>","5039", $errno, $errstr, 5);
>
> Erorr on CLI :
>
> [Oct 26 14:38:19] ERROR[2992]: tcptls.c:609
> handle_tcptls_connection: Problem setting up ssl connection:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> [Oct 26 14:38:19] WARNING[2992]: tcptls.c:684
> handle_tcptls_connection: FILE * open failed!
>
> I have in sip.conf :
>
> tlsenable=yes
> tlsbindaddr=0.0.0.0
>
> tlscertfile=/etc/asterisk/keys/asterisk.pem
> tlsdontverifyserver=yes
> tlscipher=ALL
> ;tlsclientmethod=tlsv2
>
> /etc/asterisk/keys :
>
> -rw------- 1 root root 1,2K okt 26 14:25 asterisk.crt
> -rw------- 1 root root 574 okt 26 14:24 asterisk.csr
> -rw------- 1 root root 887 okt 26 14:24 asterisk.key
> -rw------- 1 root root 2,1K okt 26 14:25 asterisk.pem
> -rw------- 1 root root 160 okt 26 14:24 ca.cfg
> -rw------- 1 root root 1,8K okt 26 14:24 ca.crt
> -rw------- 1 root root 3,3K okt 26 14:24 ca.key
> -rw------- 1 root root 123 okt 26 14:24 tmp.cfg
>
>
> The webserver ( A ) from where I open the socket to
> tls://11.22.33.44 <http://11.22.33.44> also has a self-signed
> certificate.
>
> This problem started when creating a new self-signed cert on
> webserver A.
>
>
>
>
> Any thoughts ?
>
>
> Thanks !
>
>
> Kind regards.
>
>
> J.
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/ <https://community.asterisk.org/>
>
> New to Asterisk? Start here:
> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> <https://wiki.asterisk.org/wiki/display/AST/Getting+Started>
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
> <http://lists.digium.com/mailman/listinfo/asterisk-users>
>
>
> Jonas,
>
> You talk about sip.conf and setting your TLS cert there - but you're
> trying to connect to the AMI over TLS - so you need to set this stuff
> in manager.conf
>
(https://github.com/asterisk/asterisk/blob/master/configs/samples/manager.conf.sample)
> - did you mean manager.conf ?
>
> The error says that it doesn't understand the Certificate Authority in
> the cert. The box you're connecting from shouldn't affect anything
so
> the issue will be with the CA of the cert - usually you need to add
> the CA to the cert to complete the chain.
>
> If this is a public box then I'd recommend just using LetsEncrypt -
> many things don't like Self Signed Certs now
>
> Dan
>
Hello Dan
if it is indeed manager.conf that I need to edit then the problem is
that I see no param : tlsdontverifyserver=yes
I don't know how to make the AMI ignore the self-signed certificate.
Kind regards
J.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20161026/86830daa/attachment.html>