Unable to load SSL certificate for port 5161 but port 443 works


(HawkEye) #1

Hi,
The certificate used in Certificate Management is not working. The certificate is valid however openssl s_client --connect redacted.domain.tld:5161 | openssl x509 -noout -dates
shows it cannot load the certificate when in fact I know the cert just loaded in Certificate management is perfectly valid — Valid Until 2022-01-17 (358 days)

when running the openssl s_client -connect command as above it displays:
error:2008A067:BIO routines:BIO_connect:connect error:…/crypto/bio/b_sock2.c:111:
connect:errno=111
unable to load certificate

The certificate is EXACTLY the same as what the web server is using for key, ssl cert and ca-bundle.crt.

In certificate manager deleted the key and then deleted /etc/asterisk/keys/integration/*. Added new cert/key/bundle again in certificate manager, set as default. Did not change anything. Tried fwconsole restart did not change anything.

When running openssl s_client -connect host.domain.tld:443 | openssl x509 -noout -dates it loads correctly with correct dates…

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = REDACTED
verify return:1
notBefore=Jan 17 00:00:00 2021 GMT
notAfter=Jan 17 23:59:59 2022 GMT

Any help is appreciated.
Thanks.


(Simon Telephonics) #2

TCP socket error 111 is connection refused. Your firewall is probably blocking.


(HawkEye) #3

Hi billsimon,
Thanks for replying. You gave a good hint. Turns out the problem was the server producing the error is a hot spare and it replaced the SSL cert from the primary. That’s one part. The second part is, when doing so, SIP Settings had no certificate chosen. The firewall had nothing to do with this.

Thank you for your time and help.