Nearly-random troubleshooting point (because I see certificate directory errors): you could verify that the certificate is being presented publicly correctly.
Run this command: openssl s_client -connect FQDN:5061 -tls1_2
and replace “FQDN” with your DNS hostname. For example, if your hostname is “mypbx.mydomain.com”, then replace FQDN with that.
Then make sure that that the certificate chain includes “Let’s Encrypt” and that it includes the line “0 s:CN=FQDN” (again, substituting your DNS hostname for FQDN). Or, if that throws any errors, that would be a good indicating that your TLS setup has some problem.
That command does result in a response from the server. I wonder why the phone is having an issue now? Maybe a TLS error. It was functioning just fine a few hours ago and now it cannot connect. I guess I will have to try with another phone.
TLS1.1 is over. Issuers are not issuing certs that can be used with TLS1.1 as they don’t have the ciphers/algo’s in them anymore. I think it would be best to have an idea about all these things.
Little update. On the GUI side, I forgot to switch to TLS 1.2 in PJSIP settings.
Afterwards I try again: openssl s_client -connect FQDN:5061 -tls1_2
I see a response in the command line, but stops:
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 97E264538A7882A51AC25198835045CF045F1ABD200493EBD9D88D325FCD6EBE
Session-ID-ctx:
Master-Key: E31E8CB460DDB9B119C2DE28342DAA875C38A97C6866F49BF3D2471D76E7DCA42DDC5260ED721EC27EE70CED65A42297
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1736201498
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
closed
From Asterisk I get:
[2025-01-06 14:12:10] NOTICE[500997]: res_pjsip/pjsip_transport_management.c:170 idle_sched_cb: Shutting down transport ‘TLS to 187.209.241.175:51288’ since no request was received in 32 seconds
I’m going to need to get a cert and setup TLS to test this but not sure when I’ll be able to. This week but just not sure when. I can try for the next couple of days.
What model and firmware are the phones? That error is a decryption error and it could be related to missing ciphers or mismatched TLS versions between client and server.
I don’t believe it is a phone issue. Recall this was working with TLS 1.1, then after suggestion to make changes in openssl.cnf to get functioning with version 1.2, it was functioning (with Fanvil X6) then also. Then all of a sudden neither versions work.
A friend tried his much newer Fanvil X6U with current firmware for both 1.1 and 1.2 and got the same result.
I do have some Yealinks laying around, oh and a Sangoma S500 to try out if needed
I also tried using the .pem from Let’s Encrypt in located the /etc/asterisk/keys folder with WireShark to decrypt the handshake and alert messages. I following various guides online, but I still can’t read those TLS messages.
That means that port 80 is open for any one. If it was blocked by a firewall, it would only show open from an IP in the firewall.
Either way, it was a firewall issue within FreePBX. I completely turned it off, along with fail2ban and completely flushed everything. I got it generated.
