Sorry Lonnie
Here is the error Im getting after an Asterisk reload:
[Feb 4 17:13:48] ERROR[17736]: tcptls.c:524 __ssl_setup: TLS/SSL CA
file(/mnt/kd/ssl/sip-tls/keys/ca.crt)/path() error
[Feb 4 17:13:48] ERROR[17736]: tcptls.c:126 write_openssl_error_to_log:
23216157824768:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:69:fopen('/mnt/kd/ssl/sip-tls/keys/ca.crt','r')
23216157824768:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:76:
23216157824768:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:crypto/x509/by_file.c:199:
I tried the 'openssl s_client -connect 127.0.0.1:5061 -showcerts </dev/null |
openssl x509 -noout -issuer’ and it seemed to show the correct info.
Strange!
Regards
Michael Knill
From: Lonnie Abelbeck <[email protected]>
Date: Wednesday, 4 February 2026 at 6:23 am
To: AstLinux Users Mailing List <[email protected]>
Subject: Re: [Astlinux-users] Certificate authority files missing
Hi Michael,
I have not seen and issues related to SIP-TLS certificates.
When the ACME certs get renewed (via CRON) depending on what is checked "ACME
Deploy Service"
[cid:[email protected]]
The ACME, Let's Encrypt cert gets installed and the service is restarted.
You can test what is the issuer from the localhost shell
## HTTPS
$ openssl s_client -connect 127.0.0.1:443 -showcerts </dev/null | openssl x509
-noout -issuer
...
issuer=C = US, O = Let's Encrypt, CN = R12
## SIP-TLS
$ openssl s_client -connect 127.0.0.1:5061 -showcerts </dev/null | openssl x509
-noout -issuer
...
issuer=C = US, O = Let's Encrypt, CN = R12
$ ls -l /mnt/kd/ssl/sip-tls/keys/
total 8
-rw-r--r-- 1 root root 3620 Dec 21 01:18 server.crt
-rw------- 1 root root 1679 Dec 21 01:18 server.key
There are no ca.crt or ca.key files since they are ACME, only self-signed needs
those files.
What Asterisk error are you getting?
The SIP-TLS self-signed cert can be generated, but with warnings of overwriting
the Let's Encrypt version.
Lonnie
> On Feb 2, 2026, at 8:02 PM, Michael Knill <[email protected]>
> wrote:
>
> Hi Team
>
> An email from my developer.
>
> Regards
> Michael Knill
> From: Matthew Knill <[email protected]>
> Date: Tuesday, 3 February 2026 at 12:51 pm
> To: Michael Knill <[email protected]>
> Subject: Certificate authority files missing
>
> We have noticed that for a number of our systems, the ca.key and ca.crt file
> were missing in /mnt/kd/ssl/sip-tls/keys/ which ended up causing errors in
> Asterisk. We update our SSL certificates using Let's Encrypt, however, it
> seems that these files are not actually changed by Let's Encrypt at all and
> are exclusively self-signed.
> I have been unable to figure out why the files did not exist for this
> specific system. Looking through the system, I did find that the ast_tls_cert
> script does seem to be what generates these files, though I was unable to
> figure out where and how it’s actually run…
> Regards,
> Matthew Knill
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
