[Home]

Summary:ASTERISK-25340: Manager.conf TLS doesn't activates
Reporter:Eugene Yavaev (vlt)Labels:
Date Opened:2015-08-24 02:46:01Date Closed:2020-01-14 11:13:39.000-0600
Priority:MajorRegression?
Status:Closed/CompleteComponents:
Versions:13.5.0 Frequency of
Occurrence		Constant
Related
Issues:
Environment:Amazon Linux AMI release 2015.03 openssl-devel-1.0.1k-10.87.amzn1.x86_64 Asterisk 13.5.0Attachments:( 0) issue_25340_full_log.txt
Description:manager.conf:

[general]
enabled = yes
;webenabled = yes

port = 5038
bindaddr = 0.0.0.0

tlsenable=yes
tlsbindaddr=0.0.0.0:5039              
tlscertfile=/tmp/asterisk.pem
tlsprivatekey=/tmp/private.pem
;tlscipher=<cipher string>  

;allowmultiplelogin = yes
;displayconnects = yes

Asterisk CLI:
CLI> reload manager
Module 'manager' reloaded successfully.

CLI> manager show settings
 Manager (AMI):             Yes
 Web Manager (AMI/HTTP):    No
 TCP Bindaddress:           0.0.0.0:5038
 HTTP Timeout (minutes):    60
 TLS Enable:                No
 TLS Bindaddress:           Disabled
 TLS Certfile:              /tmp/asterisk.pem
 TLS Privatekey:            /tmp/private.pem
 TLS Cipher:
 Allow multiple login:      Yes
 Display connects:          Yes
 Timestamp events:          No
 Channel vars:
Comments:By: Asterisk Team (asteriskteam) 2015-08-24 02:46:02.823-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].
By: Rusty Newton (rnewton) 2015-08-24 09:07:22.612-0500

We require additional debug to continue with triage of your issue. Please follow the instructions on the wiki [1] for how to collect debugging information from Asterisk. For expediency, where possible, attach the debug with a '.txt' file extension so that the debug will be usable for further analysis.

Thanks!

[1] https://wiki.asterisk.org/wiki/display/AST/Collecting+Debug+Information

Please collect a debug log that includes the initialization of Asterisk.

Be sure that the log includes VERBOSE and DEBUG before you attach to the issue.
By: Eugene Yavaev (vlt) 2015-08-26 01:53:27.283-0500

Log
By: Eugene Yavaev (vlt) 2015-08-26 01:54:32.729-0500

Ok. I configured logger.conf as described here https://wiki.asterisk.org/wiki/display/AST/Collecting+Debug+Information
Then I restored manager.conf from default (used sample file).
Then I went to asterisk console:
{noformat}
CLI>  core set verbose 5
Console verbose is still 5.
CLI> core set debug 5
Core debug was OFF and is now 5.
CLI> module reload logger
Module 'logger' reloaded successfully.
 == Parsing '/etc/asterisk/logger.conf': Found
Asterisk Queue Logger restarted
CLI> manager set debug on
CLI> manager set debug
manager debug is on
CLI> reload manager
Module 'manager' reloaded successfully.
CLI> manager show settings

Global Settings:
----------------
 Manager (AMI):             No
 Web Manager (AMI/HTTP):    No
 TCP Bindaddress:           Disabled
 HTTP Timeout (minutes):    60
 TLS Enable:                No
 TLS Bindaddress:           Disabled
 TLS Certfile:              asterisk.pem
 TLS Privatekey:
 TLS Cipher:
 Allow multiple login:      Yes
 Display connects:          Yes
 Timestamp events:          No
 Channel vars:
 Debug:                     Yes
{noformat}

Then I configured manager.conf:

{noformat}
[general]
enabled = yes
;webenabled = yes

port = 5038
bindaddr = 0.0.0.0

; Parameters that control AMI over TLS. ("enabled" must be set too).
; You can open a connection to this socket with e.g.
;
;       openssl s_client -connect my_host:5039
;
tlsenable=yes           ; set to YES to enable it
tlsbindaddr=0.0.0.0:5039                ; address and port to bind to, default to bindaddr and port 5039
tlscertfile=/tmp/asterisk.pem   ; path to the certificate.
tlsprivatekey=/tmp/private.pem ; path to the private key, if no private given,
                               ; if no tlsprivatekey is given, default is to search
                                                               ; tlscertfile for private key.
;tlscipher=<cipher string>      ; string specifying which SSL ciphers to use or not use
;
;allowmultiplelogin = yes               ; IF set to no, rejects manager logins that are already in use.
;                               ; The default is yes.
;
displayconnects = yes
;
; Add a Unix epoch timestamp to events (not action responses)
;
;timestampevents = yes

;brokeneventsaction = yes   ; Restore previous behavior that caused the events
                           ; action to not return a response in certain
                           ; circumstances.  Defaults to 'no'.
{noformat}

Then I went to asterisk console:

{noformat}
CLI> core set verbose 5
Console verbose was 4 and is now 5.
CLI> core set debug 5
Core debug is still 5.
CLI> manager set debug
manager debug is on
CLI> reload manager
Module 'manager' reloaded successfully.
 == Parsing '/etc/asterisk/manager.conf': Found
 == Manager registered action BridgeList
 == Manager registered action BridgeInfo
 == Manager registered action BridgeDestroy
 == Manager registered action BridgeKick
CLI> manager show settings

Global Settings:
----------------
 Manager (AMI):             Yes
 Web Manager (AMI/HTTP):    No
 TCP Bindaddress:           0.0.0.0:5038
 HTTP Timeout (minutes):    60
 TLS Enable:                No
 TLS Bindaddress:           Disabled
 TLS Certfile:              /tmp/asterisk.pem
 TLS Privatekey:            /tmp/private.pem
 TLS Cipher:
 Allow multiple login:      Yes
 Display connects:          Yes
 Timestamp events:          No
 Channel vars:
 Debug:                     No

Log file in attach.
{noformat}
By: Rusty Newton (rnewton) 2015-09-16 18:29:53.046-0500

I've tried exactly what you describe and used your configuration. I get:

{noformat}
newtonr-laptop*CLI> manager show settings

Global Settings:
----------------
 Manager (AMI):             Yes            
 Web Manager (AMI/HTTP):    No            
 TCP Bindaddress:           0.0.0.0:5038  
 HTTP Timeout (minutes):    60            
 TLS Enable:                Yes            
 TLS Bindaddress:           0.0.0.0:5039  
 TLS Certfile:              /etc/asterisk/keys/asterisk.pem
 TLS Privatekey:            /etc/asterisk/keys/asterisk.key
 TLS Cipher:                              
 Allow multiple login:      Yes            
 Display connects:          Yes            
 Timestamp events:          No            
 Channel vars:                            
 Debug:                     No  
{noformat}

I can't reproduce the issue. Manager TLS appears to enable appropriately.

Does your certfile and privatekey files exist? Are permissions set appropriately?

Maybe it is failing to enable silently...
By: Asterisk Team (asteriskteam) 2015-10-01 12:00:20.925-0500

Suspended due to lack of activity. This issue will be automatically re-opened if the reporter posts a comment. If you are not the reporter and would like this re-opened please create a new issue instead. If the new issue is related to this one a link will be created during the triage process. Further information on issue tracker usage can be found in the Asterisk Issue Guidlines [1].

[1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines