What was shown seems correct.
We don't have enough information (and possibly the right tools) to check how you are using that cert.
[in the context of SIP calling]
I have an 8 digit number that prefixes every time I dial that identifies me but it is there whether I connect over udp (which works) or tls. I'm assuming they know it's tls by the port and the handshake but I'm guessing.
We would have to guess as well.
Thanks to both of you for looking.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
@hraycrum69 based on your posts, and TLS Requirements, I think you are trying to get Asterisk connect to us-east-va.sip.flowroute.com:5061
as a TLS client. Flowroute's instructions are unusual because they ask for a publicly trusted WebPKI certificate as a client certificate. Not totally invalid, but also not commonly done. (thanks to @rg305 and @Bruce5051 for the sleuthing here).
I think the next step is for you to show us the full logs from Asterisk where it is showing an error connecting to us-east-va.sip.flowroute.com:5061
. Can you do that?
I use tls for Twilio and Telnyx without issue. This seemed from the start to be tied to dst-root-ca-x3-expiration-september-2021. I used tls with Flowroute before without issue, probably before the expiration. There are no error logs except what I sent before. It is working now. I was just trying to determine if the client was being verified and not sure how to do that.
Since TLS Requirements says:
Requirements
- Valid certificate (no self-signed certs)
You can be confident they are verifying your client.
Thanks for replying. It works with "cert_file=cert.pem" or "cert_file=fullchain.pem". Thought that could be an issue. Left it at cert.pem for now.
If it works with fullchain.pem
, I'd prefer to use it.
I'll set it back & let run for a month.
SOLVED!
Had to add the "preferred-chain="ISRG Root X1" directive to cli.ini.
Lets Encrypt was defaulting to the old defective chain.
Glad you got it working. Just noting the default chain is there for a reason and is not defective. In fact, this forum uses that default chain
While suitable for most purposes it apparently was not for your special case. That is why an alternate chain is provided.