Re: [Astlinux-users] Certificate authority files missing

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Sorry Lonnie

Here is the error Im getting after an Asterisk reload:

[Feb  4 17:13:48] ERROR[17736]: tcptls.c:524 __ssl_setup: TLS/SSL CA file(/mnt/kd/ssl/sip-tls/keys/ca.crt)/path() error
[Feb  4 17:13:48] ERROR[17736]: tcptls.c:126 write_openssl_error_to_log: 23216157824768:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/mnt/kd/ssl/sip-tls/keys/ca.crt','r')
23216157824768:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
23216157824768:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:crypto/x509/by_file.c:199:

I tried the 'openssl s_client -connect 127.0.0.1:5061 -showcerts </dev/null | openssl x509 -noout -issuer’ and it seemed to show the correct info.

Strange!

Regards

Michael Knill

From: Lonnie Abelbeck <li...@lo...>
Date: Wednesday, 4 February 2026 at 6:23 am
To: AstLinux Users Mailing List <ast...@li...>
Subject: Re: [Astlinux-users] Certificate authority files missing

Hi Michael,

I have not seen and issues related to SIP-TLS certificates.

When the ACME certs get renewed (via CRON) depending on what is checked "ACME Deploy Service"

[cid:e6e...@au...]

The ACME, Let's Encrypt cert gets installed and the service is restarted.

You can test what is the issuer from the localhost shell

## HTTPS
$ openssl s_client -connect 127.0.0.1:443 -showcerts </dev/null | openssl x509 -noout -issuer
...
issuer=C = US, O = Let's Encrypt, CN = R12

## SIP-TLS
$ openssl s_client -connect 127.0.0.1:5061 -showcerts </dev/null | openssl x509 -noout -issuer
...
issuer=C = US, O = Let's Encrypt, CN = R12

$ ls -l /mnt/kd/ssl/sip-tls/keys/
total 8
-rw-r--r--    1 root     root          3620 Dec 21 01:18 server.crt
-rw-------    1 root     root          1679 Dec 21 01:18 server.key

There are no ca.crt or ca.key files since they are ACME, only self-signed needs those files.

What Asterisk error are you getting?

The SIP-TLS self-signed cert can be generated, but with warnings of overwriting the Let's Encrypt version.

Lonnie

> On Feb 2, 2026, at 8:02 PM, Michael Knill <mic...@ip...> wrote:
>
> Hi Team
>
> An email from my developer.
>
> Regards
> Michael Knill
>   From: Matthew Knill <mat...@ip...>
> Date: Tuesday, 3 February 2026 at 12:51 pm
> To: Michael Knill <mic...@ip...>
> Subject: Certificate authority files missing
>
> We have noticed that for a number of our systems, the ca.key and ca.crt file were missing in /mnt/kd/ssl/sip-tls/keys/ which ended up causing errors in Asterisk. We update our SSL certificates using Let's Encrypt, however, it seems that these files are not actually changed by Let's Encrypt at all and are exclusively self-signed.
>   I have been unable to figure out why the files did not exist for this specific system. Looking through the system, I did find that the ast_tls_cert script does seem to be what generates these files, though I was unable to figure out where and how it’s actually run…
>   Regards,
> Matthew Knill
>   _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....

_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....