TLS for AMI/HTTP Not Working

Hello,

we have been utilizing an asterisk plugin within a monitoring tool to keep an eye on many of our deployments which connects to the AMI for polling over HTTPS. As of recently we noticed a wave of deployments disconnect and after investigating noticed that each of those deployments is no longer showing as tls enabled for AMI. We tried removing and reapplying the tlsenable setting both in the custom and directly within manager.conf with no luck.

Anyone else seeing this behavior?

manager_custom.conf

[general] (+)
webenabled=yes
tlsenable=yes
tlsbindport=5039
tlsbindaddr=0.0.0.0
tlscertfile=/etc/httpd/pki/webserver.crt
tlsprivatekey=/etc/httpd/pki/webserver.key

*CLI> manager show settings

Global Settings:

Manager (AMI): Yes
Web Manager (AMI/HTTP): Yes
TCP Bindaddress: 127.0.0.1:5038
HTTP Timeout (seconds): 60
TLS Enable: No
TLS Bindaddress: Disabled
TLS Certfile: /etc/httpd/pki/webserver.crt
TLS Privatekey: /etc/httpd/pki/webserver.key
TLS Cipher:
Allow multiple login: Yes
Display connects: No
Timestamp events: No
Channel vars:
Disabled events:
Debug: No

the cert and key file location needs to be either the
same or a symlink/link to a valid one, how did you create them ?

ls -l /etc/httpd/pki/*
ls -l /etc/asterisk/keys/*

The cert information you see above I supplied referencing the same cert/key from the Apache config for the admin portal knowing that it’s managed by certificate manager.

I believe that the FreePBX ‘certificate manager’ will primarily place them in /etc/asterisk/keys, What you have in /etc/httpd/pki will not be so associated

Now AMI over 5039 is way too forgiving given it is 2023 but you will need to at least enable it, you have

TLS Enable: No

Now AMI over 5039 is way too forgiving given it is 2023 but you will need to at least enable > it, you have

TLS Enable: No

This is actually the exact issue i’m posting about. You can see above in my manager_custom.conf where I explicitly defined “tlsenable=yes”, but as you pointed out it’s still reporting as being disabled in the output of “manager show settings”. I know it’s reading my config because it populated the certificate path information along with enabled web manager which was set to disabled out of the box, it just seems as though it’s ignoring the TLS setting I provided in my config.

@lgaetz Have you seen anything like this in passing?

No. But none of the systems I would routinely access are using custom conf files for manager/http.

1 Like

Well, @dicko takes the gold. Although the certificates are published and current within/etc/httpd/pki - asterisk didn’t actually have access to them in this location. I went ahead and referenced the copies located in /etc/asterisk/keys and the TLS listener came up.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.