asterisk users - Jul 2019 - unsolved: Re: solved: how to create a working certificate for using TLS?

On 7/5/19 9:22 PM, Steve Murphy wrote:
> hw--
> 
> I see this kind of behavior when the certificate expires... you've 
> probably checked this, but sometimes we
> miss little details like that.
I thought about that and checked the configuration I've been using to
create the certificate, and I can't see anywhere that it would expire 
earlier than after 3650 days.  Is there another way to check this?

Which certificate is the one that can not be verified: the one I
created or the one used by the SIP provider?  How can I find out
which certificate the error message is referring to?

On Fri, 5 Jul 2019 at 14:28, hw <hw at gc-24.de> wrote:
> I thought about that and checked the configuration I've been using to
> create the certificate, and I can't see anywhere that it would expire
> earlier than after 3650 days.  Is there another way to check this?
>
openssl verify -CAfile ca.crt server.crt

Which certificate is the one that can not be verified: the one
I
> created or the one used by the SIP provider?  How can I find out
> which certificate the error message is referring to?
>
What is the error message?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20190705/53aac3eb/attachment.html>

On 7/5/19 9:32 PM, John Runyon wrote:
> On Fri, 5 Jul 2019 at 14:28, hw <hw at gc-24.de <mailto:hw at
gc-24.de>> wrote:
> 
>     I thought about that and checked the configuration I've been using
to
>     create the certificate, and I can't see anywhere that it would
expire
>     earlier than after 3650 days.  Is there another way to check this?
> 
> openssl verify -CAfile ca.crt server.crt
> 
>     Which certificate is the one that can not be verified: the one I
>     created or the one used by the SIP provider?  How can I find out
>     which certificate the error message is referring to?
> 
> What is the error message?
> 
tcptls.c:173 handle_tcptls_connection: Certificate did not verify: 
unable to get local issuer certificate


So the local issuer certificate must have somehow vanished after a few 
hours.

On 7/5/19 9:32 PM, John Runyon wrote:
> On Fri, 5 Jul 2019 at 14:28, hw <hw at gc-24.de <mailto:hw at
gc-24.de>> wrote:
> 
>     I thought about that and checked the configuration I've been using
to
>     create the certificate, and I can't see anywhere that it would
expire
>     earlier than after 3650 days.  Is there another way to check this?
> 
> openssl verify -CAfile ca.crt server.crt
openssl verify -CAfile ca.pem asterisk.pem
asterisk.pem: OK


When I set tlsdontverifyserver=yes, it works (i. e. asterisk registers
to the SIP provider and there is no error message).  Otherwise I'm
getting the error message and asterisk does not register.

Reading the comments in sip.conf.sample, I would assume that asterisk
can not verify the certificate of the SIP provider.  Yet


openssl s_client -connect secure.sip.easybell.de:5061


seems to verify the certificate just fine.  Previous tests seemed to
show the asterisk is trying to verify its own certificate instead, or
as well.

What exactly is asterisk trying to verify, and what fails the
verification?


Suspicious is this:


[Jul  5 12:48:00] NOTICE[7015]: chan_sip.c:30416 sip_poke_noanswer: Peer 
'aaa' is now UNREACHABLE!  Last qualify: 55
   == TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled
   == TLS/SSL certificate ok
[Jul  5 12:48:08] ERROR[1482]: tcptls.c:173 handle_tcptls_connection: 
Certificate did not verify: unable to get local issuer certificate


That's the point at which the certificate suddenly stopped working after
the SIP provider became unreachable.  Why?