Using Asterisk as a TLS client

I installed tcpdump / wireshark. It shows my device is correctly sending to port 5061 but the server never responds to my user agent port. Don't know why. It seems openSSL just logs it as "certificate expired". Have a ticket open with Flowroute. So it may not be an issue with LetsEncrypt at all.

1 Like

A clue!:

[which was somewhat hidden in the name: http://us-east-va.sip.flowroute.com/]

This is very intersting:
openssl s_client -connect us-east-va.sip.flowroute.com:5061

CONNECTED(00000194)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=sa-east-sp.sip.flowroute.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFPTCCBCWgAwIBAgISA4JIOpm+gUSlqkaQFWwzwrC/MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA4MTIyMjUwMDFaFw0yMjExMTAyMjUwMDBaMCcxJTAjBgNVBAMT
HHNhLWVhc3Qtc3Auc2lwLmZsb3dyb3V0ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDNXV4VzUYJyje9qUyTsRLPdvrLrIv+0DPCQxYfvpXN5trm
WDLzpre2OC/XqYrHUDO96vTfuBA63wVXIUTMTmJrdWhaYGxtdJCtqOu/cDgx8gh0
k5rOj6RZuBd6dgcXmsC722+ZhuqmNi8ZBjeGkeiIwOyKgHWZRO2TQxWuKpKXEMQo
WGc7/UGWet6p2Bc33zpqeaddUXTJy3QOA1wj1o43UCIxrZ0vSy8KEOldrjPorSsY
FzvTCWI8GYsN6xHllEOYp53TCHpK+Kp6CiVXhT5xvANEVKLjVryNZCrl97NhhEcC
ssezNEAiYSISrxXIcFTCds3j6H190tk/OkPOhm4NAgMBAAGjggJWMIICUjAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFD1JvMRdXru28H+MOSllS25pZZo0MB8GA1UdIwQY
MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF
BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v
cjMuaS5sZW5jci5vcmcvMCcGA1UdEQQgMB6CHHNhLWVhc3Qtc3Auc2lwLmZsb3dy
b3V0ZS5jb20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAm
BggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEE
AdZ5AgQCBIH0BIHxAO8AdQApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3H
hAAAAYKUdvwNAAAEAwBGMEQCICUT5O883qCRsMI//6nOlJoMrCu1R95Vcvwplxe2
fzK2AiBBOolhWx5pdimpJtgHARHrMH5reFyp9L6S2Bi4/q6FjwB2AN+lXqtogk8f
bK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgpR2/fkAAAQDAEcwRQIgDJZ+b1aY
BiIo0xVXOpHLeLdqU0OYzP/42yDJEeZLp/cCIQC1EDr6e5l+vt9p8drnnf/fcOHO
Q3fJ7Jm3eBdHnfhXozANBgkqhkiG9w0BAQsFAAOCAQEAoBs7m3TGcvNhyLxpx5U/
3s8Dr3lURsHHlOXDZaATs6bWEXV/cOGLJY4r2Oa2dOWkPAahEW978iH1KgIXV+im
CaQXEJA6Goqn8L7WuNoMh0V/BzgCwDzCPz9ayK+xi1TSruvh+tTNeusC9OlPWyqi
Wq76ub2DFsMvARiX/5sH1sDLiRmr0BXHWg1BaGHZeffyczPxuCTvSiy1T1rMf6Wh
Vz0bFm3K7VD2gAlpEiTdy7nEt8E12uTZyNYr9Y+CnlX/qJfjl0EQU6VWG+RpJhmB
jR/SW1IOn4QXoAog8Juxy629Pi9gLxTcm0Z0bopuJjgSegv/n2C9U0ZygYOl/u/X
Dg==
-----END CERTIFICATE-----
subject=/CN=sa-east-sp.sip.flowroute.com
issuer=/C=US/O=Let's Encrypt/CN=R3
---
Acceptable client certificate CA names
/CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES
/CN=ACEDICOM Root/OU=PKI/O=EDICOM/C=ES
/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
/C=IT/L=Milan/O=Actalis S.p.A./03358520967/CN=Actalis Authentication Root CA
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Public CA Root
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Qualified CA Root
/C=US/O=AffirmTrust/CN=AffirmTrust Commercial
/C=US/O=AffirmTrust/CN=AffirmTrust Networking
/C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC
/C=US/O=AffirmTrust/CN=AffirmTrust Premium
/C=US/O=Amazon/CN=Amazon Root CA 1
/C=US/O=Amazon/CN=Amazon Root CA 2
/C=US/O=Amazon/CN=Amazon Root CA 3
/C=US/O=Amazon/CN=Amazon Root CA 4
/CN=Atos TrustedRoot 2011/O=Atos/C=DE
/C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 Root CA
/C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 Root CA
/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R1
/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2
/C=EU/O=AC Camerfirma SA CIF A82743287/OU=http://www.chambersign.org/CN=Chambers of Commerce Root
/C=EU/O=AC Camerfirma SA CIF A82743287/OU=http://www.chambersign.org/CN=Global Chambersign Root
/C=FR/O=Dhimyotis/CN=Certigna
/C=FR/O=Certinomis/OU=0002 433998903/CN=Certinomis - Autorit\xC3\xA9 Racine
/C=FR/O=Certinomis/OU=0002 433998903/CN=Certinomis - Root CA
/C=FR/O=Certplus/CN=Class 2 Primary CA
/C=FR/O=Certplus/CN=Certplus Root CA G1
/C=FR/O=Certplus/CN=Certplus Root CA G2
/C=RO/O=certSIGN/OU=certSIGN ROOT CA
/C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
/C=CN/O=China Financial Certification Authority/CN=CFCA EV ROOT
/C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008
/C=CN/O=China Internet Network Information Center/CN=China Internet Network Information Center EV Certificates Root
/C=CN/O=CNNIC/CN=CNNIC ROOT
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=Secure Certificate Services
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=Trusted Certificate Services
/O=Cybertrust, Inc/CN=Cybertrust Global Root
/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G2
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G3
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G3
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4
/C=US/O=Digital Signature Trust/OU=DST ACES/CN=DST ACES CA X6
/O=Digital Signature Trust Co./CN=DST Root CA X3
/C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 2009
/C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 EV 2009
/C=ES/O=Agencia Catalana de Certificacio (NIF Q-0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC
/C=EE/O=AS Sertifitseerimiskeskus/CN=EE Certification Centre Root CA/emailAddress=pki@sk.ee
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - EC1
/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
/C=TW/O=Chunghwa Telecom Co., Ltd./OU=ePKI Root Certification Authority
/C=TR/L=Ankara/O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E./OU=E-Tugra Sertifikasyon Merkezi/CN=E-Tugra Certification Authority
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
/C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G2
/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA
/C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Global Chambersign Root - 2008
/OU=GlobalSign ECC Root CA - R4/O=GlobalSign/CN=GlobalSign
/OU=GlobalSign ECC Root CA - R5/O=GlobalSign/CN=GlobalSign
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
/C=GR/L=Athens/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions ECC RootCA 2015
/C=GR/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2011
/C=GR/L=Athens/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2015
/C=HK/O=Hongkong Post/CN=Hongkong Post Root CA 1
/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
/C=US/O=IdenTrust/CN=IdenTrust Public Sector Root CA 1
/C=US/O=Internet Security Research Group/CN=ISRG Root X1
/C=ES/O=IZENPE S.A./CN=Izenpe.com
/C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2
/C=HU/L=Budapest/O=Microsec Ltd./CN=Microsec e-Szigno Root CA 2009/emailAddress=info@e-szigno.hu
/C=HU/L=Budapest/O=NetLock Kft./OU=Tan\xC3\xBAs\xC3\xADtv\xC3\xA1nykiad\xC3\xB3k (Certification Services)/CN=NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny
/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority
/C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
/C=CH/O=WISeKey/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GB CA
/C=FR/O=OpenTrust/CN=OpenTrust Root CA G1
/C=FR/O=OpenTrust/CN=OpenTrust Root CA G2
/C=FR/O=OpenTrust/CN=OpenTrust Root CA G3
/emailAddress=contacto@procert.net.ve/L=Chacao/ST=Miranda/OU=Proveedor de Certificados PROCERT/O=Sistema Nacional de Certificacion Electronica/C=VE/CN=PSCProcert
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 1 G3
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 G3
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 G3
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3
/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
/C=US/O=SecureTrust Corporation/CN=Secure Global CA
/C=JP/O=Japan Certification Services, Inc./CN=SecureSign RootCA11
/C=US/O=SecureTrust Corporation/CN=SecureTrust CA
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2
/C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
/C=FI/O=Sonera/CN=Sonera Class2 CA
/CN=localhost
/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA
/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G2
/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G3
/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
/C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 1
/C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 2
/C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root EV CA 2
/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
/C=PL/O=Krajowa Izba Rozliczeniowa S.A./CN=SZAFIR ROOT CA2
/C=TW/O=Government Root Certification Authority
/O=TeliaSonera/CN=TeliaSonera Root CA v1
/C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
/C=GB/O=Trustis Limited/OU=Trustis FPS Root CA
/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2
/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 3
/C=TR/L=Gebze - Kocaeli/O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK/OU=Kamu Sertifikasyon Merkezi - Kamu SM/CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
/C=TR/L=Gebze - Kocaeli/O=T\xC3\xBCrkiye Bilimsel ve Teknolojik Ara\xC5\x9Ft\xC4\xB1rma Kurumu - T\xC3\x9CB\xC4\xB0TAK/OU=Ulusal Elektronik ve Kriptoloji Ara\xC5\x9Ft\xC4\xB1rma Enstit\xC3\xBCs\xC3\xBC - UEKAE/OU=Kamu Sertifikasyon Merkezi/CN=T\xC3\x9CB\xC4\xB0TAK UEKAE K\xC3\xB6k Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 - S\xC3\xBCr\xC3\xBCm 3
/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Aral\xC4\xB1k 2007
/C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E./CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 H5
/C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Global Root CA
/C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Root Certification Authority
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
/C=US/O=VISA/OU=Visa International Service Association/CN=Visa eCommerce Root
/C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp Global Certification Authority
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
---
SSL handshake has read 19456 bytes and written 506 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: DA4967EEB69B50429E62EA05F027448A79EEEE8FA1950F8BE7633980BA9C4524
    Session-ID-ctx:
    Master-Key: 22F48C9053F22E27B77531CA78B1E1E0B7E2294851A1756B30EB67901D1E611554B322B21AB7BF52282F3ED15B604F45
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 22 c9 97 92 be 3a 99 67-15 42 e9 7d 21 85 68 f6   "....:.g.B.}!.h.
    0010 - de 92 92 f9 20 d2 03 07-2e 49 b6 9d b2 ea 1f 7e   .... ....I.....~
    0020 - 5f 92 93 42 a1 da 20 f9-dc b6 15 c7 79 85 03 20   _..B.. .....y..
    0030 - 2a e6 9a 61 ab 6b b9 33-b4 ad 6a 4b c2 78 04 49   *..a.k.3..jK.x.I
    0040 - 1b b5 36 5d 5b aa 86 47-74 c0 b1 5a 87 22 35 b5   ..6][..Gt..Z."5.
    0050 - 45 f7 ae b8 3f ab 9c 5f-27 06 45 cd b9 16 b2 af   E...?.._'.E.....
    0060 - fc 5a 5e ca 06 06 83 6f-bb 64 07 9b 4c 9b 2f 86   .Z^....o.d..L./.
    0070 - 2c 14 e6 b5 a4 f6 79 46-07 1d 01 ea c2 7f c0 e6   ,.....yF........
    0080 - 4c df 3f e5 da ed bf 58-c8 29 e9 1e 06 7f 9f 13   L.?....X.)......
    0090 - bc 50 70 9c c6 77 83 9b-d3 83 fa 6c 36 2e 88 ee   .Pp..w.....l6...
    00a0 - 5d b1 94 e0 9f 7f 56 c4-9c 30 4c b5 0d 06 ec be   ].....V..0L.....

    Start Time: 1663700067
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
---
^C
6 Likes

The "interesting" part is that it seems that the SIP destination requires the client to present a valid cert.
Thus, both (the client and the server) must have valid certs for this connection to work.

Also, the SIP server is using the LE "short chain", this may pose a problem to the client if their system can't validate the (self-signed) "ISRG Root X1" root cert.

5 Likes

Here is https://flowroute.com/ TLS Requirements

4 Likes

I use LetsEncrypt so I'm 99% sure I have the requirements, including a valid certificate. Having said that, your other statement intrigues me;

**Also, the SIP server is using the LE "short chain", this may pose a problem to the client if their system can't validate the (self-signed) "ISRG Root X1" root cert**

I'm a novice at this certificate stuff. How do I check for and/or fix my system if I need something I don't have? Thanks

1 Like

Show the outputs of:
openssl version
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head -10

5 Likes

ray@beaglebone:~# openssl version
OpenSSL 1.1.1n 15 Mar 2022
ray@beaglebone:~# echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head -10
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
CONNECTED(00000003)
Certificate chain
0 s:CN = acme-v02.api.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

I just re-read your post. I Think I verified I have the ISRG Root X1 certificate. Did the capture above tell you anything??

It looks like according to LetsEncrypt I may need "lets-encrypt-r3" and I don't think I have it.Does that ring any bells?

You haven't shown the cert (and chain) that your client is using, so, I can't be certain it passes their test:

Acceptable client certificate CA names
/C=US/O=Internet Security Research Group/CN=ISRG Root X1
4 Likes

Are the public part (i.e. no security risk in revealing them), but do not share your PRIVATE keys (i.e. the security is them).

1 Like

The one named "fullchain" is the one you need?

That should work. :slightly_smiling_face:

cat fullchain1.pem

-----BEGIN CERTIFICATE-----
MIIFQDCCBCigAwIBAgISBNAGjIvaVZQXb3f7h0I3bJdTMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA5MTcwMzAxNDlaFw0yMjEyMTYwMzAxNDhaMCgxJjAkBgNVBAMT
HW15bWFjaGluZS50d2lsaWdodHBhcmFkb3guY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAvJ6wnca7bnjE1V/QImEDw64BpvduuBGmn8FQt3/QEOoj
Y5WhUEWqYkSe2oWCaQ0yRYgscvTcsss7XEkqn325/9BEiaz/t+dqbZ10A1Ouwu0a
5fGg+5D4f58xjLTCG9iWMAR09yZd8vVP4FaVGloYMpysQHbWgigHRuK6bV8Ut4Zh
S2i3sendm1jeohKrPjv07WdLR6/OxDvnOzprlFlekRtRac+ioc0MB24kGLWwJymk
iiRwxaVjb7pYYYnLqvpyYCrRAjVcZSxYeCGUndm9dOzZL7hTj9LcgEEYaPYRqJG7
Z/8+QQvBYIeVc7PovuGtL8hzSSHYe7xHLkJfz54AQwIDAQABo4ICWDCCAlQwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV
HRMBAf8EAjAAMB0GA1UdDgQWBBQCURdqV9MFnz+YlFg+cM5LYRjDpjAfBgNVHSME
GDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYB
BQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDov
L3IzLmkubGVuY3Iub3JnLzAoBgNVHREEITAfgh1teW1hY2hpbmUudHdpbGlnaHRw
YXJhZG94LmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAo
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisG
AQQB1nkCBAIEgfUEgfIA8AB2AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBi
lgb2AAABg0mcFDoAAAQDAEcwRQIhAKU6v9LXnkADXGYIKbiNLXHDDI6Gz1icWjJx
MIjp+pemAiBjWMrU+kC2UGByDdj1sL12giT7sBM2EIxyhPDrdXYABAB2ACl5vvCe
OTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABg0mcFf4AAAQDAEcwRQIhALp8
FhMIhhM1sZ+3nvh1KHSwjNhjYVrmbsDwroajJfiqAiBseTziuKocMKcowuyVvjVt
7ruCZjExLsWo48b5w8JTLDANBgkqhkiG9w0BAQsFAAOCAQEADhN0+1kYX/RCTBXo
PTsuRM2ovMOOe0I9LgUTBVnq7fvOnCVZV8XrcMy5IVzyg+hwQD3qlWUW1QKht0vF
5l0lsLlP7AAiIUCa3lIqqzEE5eithDOmPptXTjImOqDpMXZderO6A/GOrlh8xMza
HjMBF25nsntKQkO+Nqm0QjuQwK57NkErTvXuvb0NAoJLJIXnz+5ZZLeTvYVFUNcv
ZCc4gYFrZzYQmEdAO1fE1BgV6Xc4I0adRmKel84uBcNn/pCERvWXnQkZarzT4zvl
pgS9f19wbROYJzKv9mMqFqOemGdIwDkiYwc66AMHA9vQ+eVA7kKBdRYN++PSH6RR
7orYPQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

Is this

Is this

Is this

1 Like

So are you registered with https://flowroute.com/ with your machine named mymachine.twilightparadox.com?
As that is what their side will authenticate or validate you against.

1 Like

I looked through the web page and don't see any place to enter that information??

Then you might want to reach out to them and get help with accessing their service.

4 Likes

How do they know who you are?
How do they know you want to use TLS?

1 Like

Agreed. :slightly_smiling_face:

1 Like

I thought as much. I'm awaiting their feedback. I was afraid I might have something incorrect in my configuration.