How do I tell if I have the Long or Short Chain?

How old is the client?
[ISRG_Root_X1 cert is more than 7 years old - it should have already been there]


A brand new 16.28 install on Debian 10 with OpenSSL 1.1.1n. I'm pretty sure it was the cross signed one.

How would you have access to the private key then?


When Certbot runs it creates files privkey1.pem, etc. That is what I'm trying to figure out. Do I ignore them completely???

Why would you run Certbot on a client? I'm very, very confused right now.

And how would you be able to get a certificate (and corresponding private key) if you don't have access to the server? For what hostname did you create that certificate on the client?


This post by @jsha should help on concept of Chains in general to help you understand the why and what Chains do and not do for you.

1 Like

My point exactly... Let me back up a little. We're mixing apples & oranges a bit here, unavoidably. I'm runnning a voip server and I want to make a tls connection to a proxy. For one-way [calling out] only.

  1. This makes me a tls client by definition.
  2. Lets Encrypt tells me I need to run/use Certbot in order to utilize tls. So I run Certbot.
  3. One of the Lets Encrypt engineers {I think it was} indicated that the proxy "" requests to "verify client". So I'm trying to prove that verification is being done.
  4. The Asterisk documentation/Wiki/forum has not proven to be extremely helpful in configuring my server. I have pieced together enough information to get rid of the error that I was getting but recently made a wild stab... Maybe Certbot is not needed at all? But how do I be sure the "client verify" is being done?

Hope this helps.

1 Like

Not quite accurate, Certbot is only a suggestion from here Getting Started - Let's Encrypt
There plenty of other ACME v2 Clients to choose from, here: ACME Client Implementations - Let's Encrypt

1 Like

Where would LE tell you that, if you're a TLS client?

Where did the LE engineers tell you that? Also, if we're talking about client authentication using TLS certificates, that's usually very different than server verification and usually doesn't use certificates from public CAs such as LE.

The sysops of the proxy where you're connecting to that requires this client authentication. I.e., sysops of I guess.


@hraycrum69 are you referring to

1 Like

Interesting you should ask. My server is behind my firewall and so I have a "virtual" hostname furnished by FreeDNS. That is what I specified to Certbot and seems to work. Runs indepentdently of all of this tls stuff.

One of a couple of posts. I've been trying to figure all this out for about two months.

Bruce, why are you copy/pasting random auto-generated replies to me, not relevant to the discussion?

Anyway, @hraycrum69, looking at your previous thread it seems your SIP provider might require TLS client authentication.

But this entire thread about long and short chains is really irrelevant to that I believe or at least telling us just 1% of the whole story.

Could you please back up a little bit and tell us exactly and as concrete as possible what the end goal of all your efforts is and what you've already done in the utmost details?


I'll delete it, sorry.

1 Like

Like I said. I thought it was someone from Lets Encrypt. All I know is the Asterisk configuration contains the directive "verify_client=yes/no" [ set to no on my end]. I"m assuming the tls server has the same option.

Maybe long vs short chain has nothing to do with the problem right now but it was mentioned earlier as a possible culprit when I was getting the "SSL certificate expired" failures. I just didn't start a new thread. My bust.

My reply to you a little earlier describes what I'm trying to accomplish in detail. Thanks for your time.

Where exactly?

From multiple posts scattered among two threads I'm guessing you're trying to have your own instance of Asterisk connect to another VoIP provider using the SIP protocol and maybe you require TLS client authentication for that, but it might also NOT require that at all, as we haven't actually seen an error message related to that.

That's how far I've come.


The thread over at Trying to use tls with no luck - #25 by Bruce5051 is pretty informative about what @hraycrum69 is trying to do. @hraycrum69 based on your posts, and TLS Requirements, I think you are trying to get Asterisk connect to as a TLS client. Flowroute's instructions are unusual because they ask for a publicly trusted WebPKI certificate as a client certificate. Not totally invalid, but also not commonly done.

@rg305 mentioned the "short chain" vs "long chain" issue in that thread, but I think that is probably not the problem you have. Since this isn't about short vs long, I'm going to reopen and rename the original thread and post my thoughts there.


It also seems to be optional:

Flowroute now offers TLS as a signaling option for customers.


TLS signaling is considered an advanced configuration and should only be attempted by customers who are familiar with TLS with their PBX.

I'm guessing OP shouldn't be attempting this at all, but seek other ways of "signaling".

Also, I agree with the last part of your post, I think its best to close this thread in lieu of the one you've linked to.