On 7/5/19 9:32 PM, John Runyon wrote:
On Fri, 5 Jul 2019 at 14:28, hw <h...@gc-24.de <mailto:h...@gc-24.de>> wrote:
I thought about that and checked the configuration I've been using to
create the certificate, and I can't see anywhere that it would expire
earlier than after 3650 days. Is there another way to check this?
openssl verify -CAfile ca.crt server.crt
openssl verify -CAfile ca.pem asterisk.pem
asterisk.pem: OK
When I set tlsdontverifyserver=yes, it works (i. e. asterisk registers
to the SIP provider and there is no error message). Otherwise I'm
getting the error message and asterisk does not register.
Reading the comments in sip.conf.sample, I would assume that asterisk
can not verify the certificate of the SIP provider. Yet
openssl s_client -connect secure.sip.easybell.de:5061
seems to verify the certificate just fine. Previous tests seemed to
show the asterisk is trying to verify its own certificate instead, or
as well.
What exactly is asterisk trying to verify, and what fails the
verification?
Suspicious is this:
[Jul 5 12:48:00] NOTICE[7015]: chan_sip.c:30416 sip_poke_noanswer: Peer
'aaa' is now UNREACHABLE! Last qualify: 55
== TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled
== TLS/SSL certificate ok
[Jul 5 12:48:08] ERROR[1482]: tcptls.c:173 handle_tcptls_connection:
Certificate did not verify: unable to get local issuer certificate
That's the point at which the certificate suddenly stopped working after
the SIP provider became unreachable. Why?
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Check out the new Asterisk community forum at: https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users