Using Asterisk as a TLS client

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mymachine.twilightparadox.com

I ran this command:
openssl s_client -connect us-east-va.sip.flowroute.com:443
It produced this output:
3070160912:error:0200206E:system library:connect:Connection timed out:../crypto/bio/b_sock2.c:110:
3070160912:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=110
My web server is (include version):
None
The operating system my web server runs on is (include version):
Debian 10.12
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
snap -- V1.3?
tryiing to use tls and keep getting "certificate expired". Works fine with Telnyx but tls fails with us-east-va.sip.flowroute.com.
I read something about LetsEncrypt making some big changes late last year. Keep getting references to a missing or incorrect root certificate??

I'm seeing two hostnames: which one is the one you want fixed? Because currently both don't work. Your twilight URI doesn't have anything running on port 80 or 443 and your flowroute URI is timing out for me (and for you too it seems..)

Also, both hostnames have valid certificates issued (very) recently.

So I'm not sure how to proceed: both hostnames are unavailable to check and your post doesn't make it very clear what the actual issue is you're having, at least not to me.

5 Likes

I will try to answer your questions intelligently. twilight is correct and there should not be anything running on 80. I tried the openssl command because a google search said it could be used to check for correct tls operation (?) The server that I am told I should be connecting to is us-east-va.sip.flowroute.com. I get tls correctly on sip.telnyx.com but it dies on us-east-va.sip.flowroute.com. I hope that helps.

That doesn't make much sense to me. Why would an outgoing connection tell you anything about the operation of your own webserver?

Also, there isn't listening anything on port 443 for mymachine.twilightparadox.com either.

5 Likes

Best Practice - Keep Port 80 Open

2 Likes

I'm not sure what you mean. I think certbot is working. It's only used in short bursts when Certbot runs, correct? As I said, I thought the openssl command would verify if their domain was running (tls) correctly.

Yes, but why would you care if us-east-va.sip.flowroute.com was running their TLS correctly, if you're having trouble with your own domain?

I'm just confused and I don't know what actual issue you're having.

5 Likes

Neither site is demonstrating success with offering certificates from SSL Server Test (Powered by Qualys SSL Labs)

  1. SSL Server Test: mymachine.twilightparadox.com (Powered by Qualys SSL Labs)
  2. SSL Server Test: us-east-va.sip.flowroute.com (Powered by Qualys SSL Labs)

Yet both have valid certificates available according to https://crt.sh/

  1. https://crt.sh/?q=mymachine.twilightparadox.com
  2. https://crt.sh/?q=+us-east-va.sip.flowroute.com
2 Likes

Let me start over. I'm trying to establish a tls connection to us-east-va.sip.flowroute.com and get the error "certificate expired" and the connection fails. I get a tls connection to the telnyx server just fine. I keep getting snippets about the change(s) made by LetsEncrypt last year that could be causing the "Expired certificate" error and a representative from Flowroute suggested the same.

But your first post shows an "Connection timed out" error? Also, I can't connect to it either, the host seems to be down. That makes debugging this very difficult if not impossible.

5 Likes

Possible this

or even this

May be of assistance.

2 Likes

I believe you are correct about mymachine. It's only used for outbound (a client?) Not configured as a server ?

How are you connecting?

  • What OS?
  • What Client and/or Server?
  • Is this on your local LAN or accessible to the Internet at large?
2 Likes

Doesn't seem to be responding on Port 80 (http) nor Port 443 (https)


But is Pingable

3 Likes

Debian 10.12, Client? Asterisk / snap / certbot, Asterisk (the mymachine domain) is on my local lan but the domain is supplied by FreeDNS

And then the server your are trying to connect to is us-east-va.sip.flowroute.com?
(Presently it seems down for services, but can be Pinged)

2 Likes

Bingo! Flowroute states everything is Fine. I can connect over udp but not tls. I have a pcap if that helps.

Is this something I can change or fix on my end?

For incompatible devices, there is often a way that the device owner can manually upgrade an individual device to restore compatibility (e.g. by manually adding the ISRG Root X1 certificate to the local trusted certificates list (trust store)

How do I accomplish this?

UDP is a connectionless protocol, so I find this quite confusing?

6 Likes

Flowroute states everything is hunky dory but I think there is an interworking error between OpenSSL 1.1.1n (which I have) and them. I sent a pcap and am waiting for a response. tls is one of the reasons I wanted to use Flowroute.