Install Twilio ca-bundle.crt file

ColoradoRuss · June 15, 2023, 9:17pm

I am running the current version of the FreePBX distro and email below from Twilio, which I am sure lots of folks got. I downloaded the ca-bundle.crt and can not figure out how to install it. I put it in /etc/asterisk/keys but can not import it. Any ideas on how to get this entered as they indicate?

from Twilio:
You’re receiving this email from Twilio because you’re a current Twilio Programmable Voice SIP Interface and/or Elastic SIP trunking customer that uses SIP over TLS in our Ashburn/US1 edge location.

What do you need to know?

Effective June 22, 2023, the TLS certificate used by Twilio’s SIP infrastructure will expire. To ensure that you can continue to connect with Twilio using SIP, your SIP infrastructure must trust the root Certificate Authority (CA) that our certificates are signed with.

Why is this happening?

As part of our regular maintenance to our systems, we annually renew the TLS certificate used by our SIP infrastructure. We try to keep the same root CA when possible; however, with the latest upgrade of the certificate on our Ashburn/US1 SIP edge, the root CA is different from the one we previously used. This is due to our signing authority, Digicert, changing the version of their root CA in accordance with Mozilla’s distrust policy.

What do you need to do?

Make sure your equipment trusts all CA listed in our public documentation and download our trusted CA bundle by June 22, 2023.

The following certificates are critical to connecting your equipment with Twilio:

DigiCert Global Root G2 (new)
You can download the new certificate directly from Digicert.
DigiCert Global Root CA (old)
For more information, review Elastic SIP Trunking - Importing Twilio’s Root CA Certificate (Elastic SIP Trunking | Twilio) and Programmable Voice SIP Interface - Importing Twilio’s Root CA Certificate. You can also refer to the vendor(s) of your SIP infrastructure on how to load the CA in your servers.

What if you don’t take action?

If you don’t take action, all Programmable Voice SIP and/or Elastic SIP Trunking calls that use TLS for encryption will fail after June 22, 2023.

Sincerely,

Team Twilio

dicko · June 15, 2023, 9:35pm

You can edit /etc/asterisk/pjsip.transports.conf but be careful that cert updates don’t overwrite, I don’t think it will unless you change the default but I don’t use the certs module anymore

ColoradoRuss · June 19, 2023, 8:30pm

Im not sure what to edit. Nothing specifies any certs.

;--------------------------------------------------------------------------------;
; Do NOT edit this file as it is auto-generated by FreePBX. ;
;--------------------------------------------------------------------------------;
; For information on adding additional paramaters to this file, please visit the ;
; FreePBX.org wiki page, or ask on IRC. This file was created by the new FreePBX ;
; BMO - Big Module Object. Any similarity in naming with BMO from Adventure Time ;
; is totally deliberate. ;
;--------------------------------------------------------------------------------;
#include pjsip.transports_custom.conf

[0.0.0.0-udp]
type=transport
protocol=udp
bind=0.0.0.0:5060
external_media_address=my_ip
external_signaling_address=my_ip
allow_reload=no
tos=cs3
cos=3
local_net=192.168.2.0/24
local_net=192.168.2.0/24

dicko · June 19, 2023, 8:44pm

Presumably you are supposed to be communicating over TLS transport and not UDP, in which you will find something like

[0.0.0.0-tls]
.
.
ca_list_file=/etc/ssl/certs/ca-certificates.crt
.
.

and presumably you would need to add their certificate to that file and use the TLS transport

system · July 20, 2023, 8:45pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.