Oh man. Of course! That was the problem. Thanks so much Lonnie.
Regards Michael Knill From: Lonnie Abelbeck <[email protected]> Date: Wednesday, 4 February 2026 at 10:37 pm To: AstLinux Users Mailing List <[email protected]> Subject: Re: [Astlinux-users] Certificate authority files missing Check your sip.conf file, for ACME certs you only need: -- # grep -r '/sip-tls/' /etc/asterisk/ /etc/asterisk/sip.conf:tlscertfile=/mnt/kd/ssl/sip-tls/keys/server.crt /etc/asterisk/sip.conf:tlsprivatekey=/mnt/kd/ssl/sip-tls/keys/server.key -- Possibly you have 'tlscafile' defined, and the self-signed CA is no longer valid. Lonnie > On Feb 4, 2026, at 12:26 AM, Michael Knill > <[email protected]> wrote: > > Sorry Lonnie > > Here is the error Im getting after an Asterisk reload: > > [Feb 4 17:13:48] ERROR[17736]: tcptls.c:524 __ssl_setup: TLS/SSL CA > file(/mnt/kd/ssl/sip-tls/keys/ca.crt)/path() error > [Feb 4 17:13:48] ERROR[17736]: tcptls.c:126 write_openssl_error_to_log: > 23216157824768:error:02001002:system library:fopen:No such file or > directory:crypto/bio/bss_file.c:69:fopen('/mnt/kd/ssl/sip-tls/keys/ca.crt','r') > 23216157824768:error:2006D080:BIO routines:BIO_new_file:no such > file:crypto/bio/bss_file.c:76: > 23216157824768:error:0B084002:x509 certificate > routines:X509_load_cert_crl_file:system lib:crypto/x509/by_file.c:199: > > I tried the 'openssl s_client -connect 127.0.0.1:5061 -showcerts </dev/null | > openssl x509 -noout -issuer’ and it seemed to show the correct info. > > Strange! > > Regards > Michael Knill > From: Lonnie Abelbeck <[email protected]> > Date: Wednesday, 4 February 2026 at 6:23 am > To: AstLinux Users Mailing List <[email protected]> > Subject: Re: [Astlinux-users] Certificate authority files missing > > Hi Michael, > > I have not seen and issues related to SIP-TLS certificates. > > When the ACME certs get renewed (via CRON) depending on what is checked "ACME > Deploy Service" > > <Screenshot 2026-02-03 at 10.39.37 AM.png> > > > The ACME, Let's Encrypt cert gets installed and the service is restarted. > > You can test what is the issuer from the localhost shell > > ## HTTPS > $ openssl s_client -connect 127.0.0.1:443 -showcerts </dev/null | openssl > x509 -noout -issuer > ... > issuer=C = US, O = Let's Encrypt, CN = R12 > > ## SIP-TLS > $ openssl s_client -connect 127.0.0.1:5061 -showcerts </dev/null | openssl > x509 -noout -issuer > ... > issuer=C = US, O = Let's Encrypt, CN = R12 > > $ ls -l /mnt/kd/ssl/sip-tls/keys/ > total 8 > -rw-r--r-- 1 root root 3620 Dec 21 01:18 server.crt > -rw------- 1 root root 1679 Dec 21 01:18 server.key > > There are no ca.crt or ca.key files since they are ACME, only self-signed > needs those files. > > What Asterisk error are you getting? > > The SIP-TLS self-signed cert can be generated, but with warnings of > overwriting the Let's Encrypt version. > > Lonnie > > > > > > On Feb 2, 2026, at 8:02 PM, Michael Knill > > <[email protected]> wrote: > > > > Hi Team > > > > An email from my developer. > > > > Regards > > Michael Knill > > From: Matthew Knill <[email protected]> > > Date: Tuesday, 3 February 2026 at 12:51 pm > > To: Michael Knill <[email protected]> > > Subject: Certificate authority files missing > > > > We have noticed that for a number of our systems, the ca.key and ca.crt > > file were missing in /mnt/kd/ssl/sip-tls/keys/ which ended up causing > > errors in Asterisk. We update our SSL certificates using Let's Encrypt, > > however, it seems that these files are not actually changed by Let's > > Encrypt at all and are exclusively self-signed. > > I have been unable to figure out why the files did not exist for this > > specific system. Looking through the system, I did find that the > > ast_tls_cert script does seem to be what generates these files, though I > > was unable to figure out where and how it’s actually run… > > Regards, > > Matthew Knill > > _______________________________________________ > > Astlinux-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to > > [email protected]. > > > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
_______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
