Using Asterisk as a TLS client

rg305 · September 21, 2022, 8:28pm

What was shown seems correct.
We don't have enough information (and possibly the right tools) to check how you are using that cert.
[in the context of SIP calling]

hraycrum69 · September 21, 2022, 8:34pm

I have an 8 digit number that prefixes every time I dial that identifies me but it is there whether I connect over udp (which works) or tls. I'm assuming they know it's tls by the port and the handshake but I'm guessing.

rg305 · September 21, 2022, 8:36pm

We would have to guess as well.

hraycrum69 · September 21, 2022, 8:38pm

Thanks to both of you for looking.

system · October 21, 2022, 8:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

jsha · November 4, 2022, 5:42pm

@hraycrum69 based on your posts, and TLS Requirements, I think you are trying to get Asterisk connect to us-east-va.sip.flowroute.com:5061 as a TLS client. Flowroute's instructions are unusual because they ask for a publicly trusted WebPKI certificate as a client certificate. Not totally invalid, but also not commonly done. (thanks to @rg305 and @Bruce5051 for the sleuthing here).

I think the next step is for you to show us the full logs from Asterisk where it is showing an error connecting to us-east-va.sip.flowroute.com:5061. Can you do that?

hraycrum69 · November 4, 2022, 6:59pm

I use tls for Twilio and Telnyx without issue. This seemed from the start to be tied to dst-root-ca-x3-expiration-september-2021. I used tls with Flowroute before without issue, probably before the expiration. There are no error logs except what I sent before. It is working now. I was just trying to determine if the client was being verified and not sure how to do that.

jsha · November 4, 2022, 7:25pm

Since TLS Requirements says:

Requirements

Valid certificate (no self-signed certs)

You can be confident they are verifying your client.

hraycrum69 · November 4, 2022, 8:34pm

Thanks for replying. It works with "cert_file=cert.pem" or "cert_file=fullchain.pem". Thought that could be an issue. Left it at cert.pem for now.

rg305 · November 4, 2022, 8:44pm

If it works with fullchain.pem, I'd prefer to use it.

hraycrum69 · November 4, 2022, 11:01pm

I'll set it back & let run for a month.

hraycrum69 · November 8, 2022, 1:53pm

SOLVED!

Had to add the "preferred-chain="ISRG Root X1" directive to cli.ini.
Lets Encrypt was defaulting to the old defective chain.

MikeMcQ · November 8, 2022, 1:59pm

Glad you got it working. Just noting the default chain is there for a reason and is not defective. In fact, this forum uses that default chain

While suitable for most purposes it apparently was not for your special case. That is why an alternate chain is provided.