GeekBoy
November 22, 2020, 9:04pm
1
I got a Sectigo certificate to use for TLS connection for endpoints. I installed it with the Certificate Manager module, and functions find when installed for https for the server.
The problem is when using for TLS.
Trying various clients they all fail to connect. I ended up using eyeBeam softphone because it is giving nice logs of problems
It is showing
"Error when verifying server’s chain of certificates: certificate signature failuredepth=2 /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
" |
“TLS connection failed ok=-1 err=1 error:00000001:lib(0):func(0):reason(1)” |
Error (min) RESIP:TRANSPORT | “error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm” |
Error (min) RESIP:TRANSPORT | “Error code = 218665121 file=.\crypto\asn1\a_verify.c line=141” |
Error (min) RESIP:TRANSPORT | “error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed” |
Error (min) RESIP:TRANSPORT | “Error code = 336134278 file=.\ssl\s3_clnt.c line=844” |
Error (min) RESIP:TRANSPORT | “Couldn’t TLS connect” |
Info (more) RESIP:TRANSPORT | “Write failed on socket: 2944, closing connection” |
Anyone got a clue on this?
sorvani
(Jared Busch)
November 23, 2020, 5:13am
2
when you imported the cert, did you first make that cert a combined cert that includes the CA chain?
GeekBoy
November 23, 2020, 6:00am
3
I put all three items in their places. Key in the key, the certificate in the certificate spot, and chain in the chain spot. Are you saying I should put the chain also in the certificate spot also?
GeekBoy
November 23, 2020, 5:59pm
4
I went ahead and tested a Let’s Encrypt certificate.
I am getting the same error:
[20-11-23]11:57:07.676 | Error (min) RESIP | “Error when verifying server’s chain of certificates: certificate signature failuredepth=1 /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
" |
[20-11-23]11:57:07.676 | Error (min) RESIP:TRANSPORT | “TLS connection failed ok=-1 err=1 error:00000001:lib(0):func(0):reason(1)” |
[20-11-23]11:57:07.676 | Error (min) RESIP:TRANSPORT | " (SSL Error ssl)” |
[20-11-23]11:57:07.676 | Error (min) RESIP:TRANSPORT | “error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm” |
[20-11-23]11:57:07.676 | Error (min) RESIP:TRANSPORT | “Error code = 218665121 file=.\crypto\asn1\a_verify.c line=141” |
[20-11-23]11:57:07.676 | Error (min) RESIP:TRANSPORT | “error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed” |
[20-11-23]11:57:07.676 | Error (min) RESIP:TRANSPORT | “Error code = 336134278 file=.\ssl\s3_clnt.c line=844” |
[20-11-23]11:57:07.676 | Error (min) RESIP:TRANSPORT | “Couldn’t TLS connect” |
[20-11-23]11:57:07.676 | Info (more) RESIP:TRANSPORT | “Write failed on socket: 3060, closing connection” |
billsimon
(Bill Simon)
November 23, 2020, 6:02pm
5
I would recommend checking the files on the (Asterisk server) file system. Use vi to see whether there are any weird characters or anything like that.
“error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm”
seems like possibly file corruption.
GeekBoy
November 23, 2020, 6:09pm
6
Which files could those be?
billsimon
(Bill Simon)
November 23, 2020, 6:26pm
7
Look at /etc/asterisk/pjsip.transports.conf and you’ll see the files referenced under the [0.0.0.0-tls]
section: ca_list_file, cert_file, and priv_key_file.
billsimon
(Bill Simon)
November 23, 2020, 6:32pm
8
I forgot that I had some problems with TLS transport as well. It looks like the issue is so far unaddressed. https://issues.freepbx.org/browse/FREEPBX-20610
Only one other person has corroborated my report. Perhaps because TLS configurations are much less common than plain UDP.
GeekBoy
November 23, 2020, 7:27pm
9
It all looks fine there.
Looking for
error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm
I see something about OpenSSL version being to old to support newer certificates.
The version I am using in this case is OpenSSL 1.0.1e-fips 11 Feb 2013
I have TLS setup on a version 15 PBX using Let’s Encrypt and not having that issue you are describing.
system
(system)
Closed
June 3, 2021, 10:59pm
10
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.