What's going on with TLS on FreePBX/Asterisk and Debian 12?

That is strange. When I tried it with firewall off, it reported I had to turn it on

I also ended up using the CLI to avoid all that.

Update. I got a regular $10 certificate, chnaged it to TLS 1.1 and now connected. So It appears an issue with Let’s Encrypt?

Why are you using an insecure TLS version? What happens when it’s TLS1.2?

I am just trying to make sure it is connecting with version 1.1. Once my friend checks it out with his new phones with 1.1 I will switch over to 1.2 to advise what happens.

Well I was able to make it work. It looks like the files FreePBX is putting in /etc/asterisk/keys has issues with parsing. At least mine did. I edited the files as I saw fit and boom, everything works.

1 Like

Where did you see the parsing issue in FreePBX?

Update: Also tested with v1.2 and registers also. I guess there is an issue with the Let’s Encrypt certificates

For some reason, even though it is no longer a requirement in Asterisk, they generate a .crt that has the ca-bundle and the cert in it. I couldn’t get that to work.

However, now I can’t seem to replicate the issue. I’ve restored all the original files and did a fwconsole restart and everything registered fine.

Why don’t you put back the LE cert, set it to TLSv1_2, apply the config and do fwconsole restart then test.

I can try that tomorrow. I spent most of yesterday doing that very thing

Yeah, I just can’t replicate it with LE but I’m using a Yealink.

But you mentioned about a parsing issue.

Yes, when testing with the openssl s_client commands I got:

4017D8059D7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:322:

has worked for me for years.

I’m sure it has but FreePBX has it’s own acme certbot handling for this. Th idea is to find out why it wasn’t working in v17 system.

And that acme client is very lame and outdated, you would likely benefit using the DNS-01 protocol which it can’t do and needs painstaking firewall rules for http

If things dont work for you. find another way

I just switched over to the Let’s Encrypt Certificate and the old Fanvil X6 registered just fine. This is so odd.

Did you generate the cert just before you started using it? And are you set to TLSv1.2 for things?

I generated it maybe a week ago, then generated another a couple of days ago. Now out of nowhere it is working again. Everything is set for TLS v1.2

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.