Certificate chain error over TLS

I got a Sectigo certificate to use for TLS connection for endpoints. I installed it with the Certificate Manager module, and functions find when installed for https for the server.

The problem is when using for TLS.

Trying various clients they all fail to connect. I ended up using eyeBeam softphone because it is giving nice logs of problems

It is showing

"Error when verifying server’s chain of certificates: certificate signature failuredepth=2 /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
" |
“TLS connection failed ok=-1 err=1 error:00000001:lib(0):func(0):reason(1)” |
Error (min) RESIP:TRANSPORT | “error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm” |
Error (min) RESIP:TRANSPORT | “Error code = 218665121 file=.\crypto\asn1\a_verify.c line=141” |
Error (min) RESIP:TRANSPORT | “error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed” |
Error (min) RESIP:TRANSPORT | “Error code = 336134278 file=.\ssl\s3_clnt.c line=844” |
Error (min) RESIP:TRANSPORT | “Couldn’t TLS connect” |
Info (more) RESIP:TRANSPORT | “Write failed on socket: 2944, closing connection” |

Anyone got a clue on this?

when you imported the cert, did you first make that cert a combined cert that includes the CA chain?

I put all three items in their places. Key in the key, the certificate in the certificate spot, and chain in the chain spot. Are you saying I should put the chain also in the certificate spot also?

I went ahead and tested a Let’s Encrypt certificate.

I am getting the same error:

[20-11-23]11:57:07.676 | Error (min) RESIP | “Error when verifying server’s chain of certificates: certificate signature failuredepth=1 /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
" |
[20-11-23]11:57:07.676 | Error (min) RESIP:TRANSPORT | “TLS connection failed ok=-1 err=1 error:00000001:lib(0):func(0):reason(1)” |
[20-11-23]11:57:07.676 | Error (min) RESIP:TRANSPORT | " (SSL Error ssl)” |
[20-11-23]11:57:07.676 | Error (min) RESIP:TRANSPORT | “error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm” |
[20-11-23]11:57:07.676 | Error (min) RESIP:TRANSPORT | “Error code = 218665121 file=.\crypto\asn1\a_verify.c line=141” |
[20-11-23]11:57:07.676 | Error (min) RESIP:TRANSPORT | “error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed” |
[20-11-23]11:57:07.676 | Error (min) RESIP:TRANSPORT | “Error code = 336134278 file=.\ssl\s3_clnt.c line=844” |
[20-11-23]11:57:07.676 | Error (min) RESIP:TRANSPORT | “Couldn’t TLS connect” |
[20-11-23]11:57:07.676 | Info (more) RESIP:TRANSPORT | “Write failed on socket: 3060, closing connection” |

I would recommend checking the files on the (Asterisk server) file system. Use vi to see whether there are any weird characters or anything like that.

“error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm”

seems like possibly file corruption.

Which files could those be?

Look at /etc/asterisk/pjsip.transports.conf and you’ll see the files referenced under the [0.0.0.0-tls] section: ca_list_file, cert_file, and priv_key_file.

I forgot that I had some problems with TLS transport as well. It looks like the issue is so far unaddressed. https://issues.freepbx.org/browse/FREEPBX-20610

Only one other person has corroborated my report. Perhaps because TLS configurations are much less common than plain UDP.

It all looks fine there.

Looking for

error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm

I see something about OpenSSL version being to old to support newer certificates.

The version I am using in this case is OpenSSL 1.0.1e-fips 11 Feb 2013

I have TLS setup on a version 15 PBX using Let’s Encrypt and not having that issue you are describing.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.