No more SIPS/SRTP connection possible after provider changed certificate and settings

Tags: #<Tag:0x00007f4f42e53fb0> #<Tag:0x00007f4f42e53e70> #<Tag:0x00007f4f42e53d30>

(Just Another User) #1

Hi all,

I am running a FreePBX with a SIP trunk from my internet provider (M-net).
The SIP connection (PJSIP) goes over TLS on port 5061 and SRTP is enabled for media transfer.
Everything worked without any problems.

Now my ISP sent me the following letter (translated):

You are using your SIP trunk with the option “encryption”. The current M-net VoIP certificate expires at the end of May 2021 and will unfortunately not be renewed by the corresponding issuer (comodo).

For this reason, we hereby ask you to add another certificate on your IP-PBX.

To ensure that you can continue to make encrypted calls via your M-net connection in the future, the following steps must be carried out by your system administrator:

  • Download of the new certificate (Link: M-net-Root-X1) to your IP-PBX.
  • Adjustment of the SIP configuration of your IP-PBX with a SIP trunk account: The FQDN must be configured as outbound proxy.
  • The IP-PBX now establishes a TCP connection and then a TLS connection. SIP messages can then be sent over this TLS connection.
  • Execution of test calls (incoming and outgoing)

We recommend that you carry out this adjustment outside your business hours, as calls may be interrupted for a short time.

When I try to set these changes, the connection no longer works.
As soon as I enter the desired server in ‘Outbound Proxy’ in the SIP Trunk settings, the connection is ‘Rejected’.
I have tried different settings for ‘Transport’ and ’ Server’ and ‘Outbound-Proxy’ but without success.

I have not uploaded the certificate to the FreePBX, nor would I know where it would be stored. But I think that maybe this is not necessary, because I didn’t have to upload the old certificate either.

What am I doing wrong? How can I find out the error?

Many greetings.

(Simon Telephonics) #2

They are asking you to trust their own self signed cert. This is unusual. Why won’t/can’t they pay to renew a certificate?

(Just Another User) #3


yes that’s right now I see it too.
When I look at the certificate it says ‘Certificate Authority root certificate is not trusted’.
This could be the reason why it doesn’t work anymore.

I don’t know why the provider here doesn’t want to or can’t buy a certificate. I will ask here by phone.

Is there a possibility to store this certificate/CA in the PBX?
And if so how exactly do I do that?

Many greetings.

(Simon Telephonics) #4

Yes, using the tool update-ca-trust:

To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:

  • add it as a new file to directory /etc/pki/ca-trust/source/anchors/
  • run update-ca-trust extract

(Just Another User) #5

Great, I will try this over the weekend and report back.
Thanks for the quick response, great community here.

Many greetings.

(Just Another User) #6

I uploaded the certificate as described.
Then I executed ‘update-ca-trust extract’.
With the following command I checked if the certificate is correctly stored at the CAs:
awk -v cmd=‘openssl x509 -noout -subject’ ’ /BEGIN/{close(cmd)};{print | cmd}’ < /etc/ssl/certs/ca-bundle.crt

As output I get among others: subject= /CN=M-net-Root-X1
So everything entered correctly as it seems to me.

Then I changed the settings as described, the connection is ‘registered’ and telephony works as usual.

But not with the described outbound proxy FQDN ‘’.
If I enter this proxy the telephony does not work.

If I leave out the outbound proxy and only enter the original FQDN ‘’ as server it works.

I find this strange, because it is described differently to me by the provider. It works, so I don’t want to complain, but I don’t understand it.

Thanks for the fast and competent help.

Many greetings

(Simon Telephonics) #7

The TLS SRV record for has proxies defined so Asterisk uses them.

If you want to use the proxy given to you the format would be\;lr , I believe.

(Just Another User) #8

Ah ok, that sounds logical.
I don’t see the proxy entries when I search with ‘dig SRV’ but somehow they will be entered, at least it works.

I have tried that in all possible combinations, had not worked. But it is ok if the way can be determined independently.

I’m happy. Many thanks again.

(system) closed #9

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.