I am running a FreePBX with a SIP trunk from my internet provider (M-net).
The SIP connection (PJSIP) goes over TLS on port 5061 and SRTP is enabled for media transfer.
Everything worked without any problems.
Now my ISP sent me the following letter (translated):
You are using your SIP trunk with the option “encryption”. The current M-net VoIP certificate expires at the end of May 2021 and will unfortunately not be renewed by the corresponding issuer (comodo).
For this reason, we hereby ask you to add another certificate on your IP-PBX.
To ensure that you can continue to make encrypted calls via your M-net connection in the future, the following steps must be carried out by your system administrator:
Download of the new certificate (Link: M-net-Root-X1) to your IP-PBX.
Adjustment of the SIP configuration of your IP-PBX with a SIP trunk account: The FQDN business02.mnet-voip.de must be configured as outbound proxy.
The IP-PBX now establishes a TCP connection and then a TLS connection. SIP messages can then be sent over this TLS connection.
Execution of test calls (incoming and outgoing)
We recommend that you carry out this adjustment outside your business hours, as calls may be interrupted for a short time.
When I try to set these changes, the connection no longer works.
As soon as I enter the desired server in ‘Outbound Proxy’ in the SIP Trunk settings, the connection is ‘Rejected’.
I have tried different settings for ‘Transport’ and ’ Server’ and ‘Outbound-Proxy’ but without success.
I have not uploaded the certificate to the FreePBX, nor would I know where it would be stored. But I think that maybe this is not necessary, because I didn’t have to upload the old certificate either.
What am I doing wrong? How can I find out the error?
yes that’s right now I see it too.
When I look at the certificate it says ‘Certificate Authority root certificate is not trusted’.
This could be the reason why it doesn’t work anymore.
I don’t know why the provider here doesn’t want to or can’t buy a certificate. I will ask here by phone.
Is there a possibility to store this certificate/CA in the PBX?
And if so how exactly do I do that?
I uploaded the certificate as described.
Then I executed ‘update-ca-trust extract’.
With the following command I checked if the certificate is correctly stored at the CAs:
awk -v cmd=‘openssl x509 -noout -subject’ ’ /BEGIN/{close(cmd)};{print | cmd}’ < /etc/ssl/certs/ca-bundle.crt
As output I get among others: subject= /CN=M-net-Root-X1
So everything entered correctly as it seems to me.
Then I changed the settings as described, the connection is ‘registered’ and telephony works as usual.
But not with the described outbound proxy FQDN ‘business02.mnet-voip.de’.
If I enter this proxy the telephony does not work.
If I leave out the outbound proxy and only enter the original FQDN ‘business.mnet-voip.de’ as server it works.
I find this strange, because it is described differently to me by the provider. It works, so I don’t want to complain, but I don’t understand it.
Ah ok, that sounds logical.
I don’t see the proxy entries when I search with ‘dig _sip._tcp.business.mnet-voip.de SRV’ but somehow they will be entered, at least it works.
I have tried that in all possible combinations, had not worked. But it is ok if the way can be determined independently.