Olivier
2020-Jan-06 17:33 UTC
[asterisk-users] TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem>
Hello, On a newly re-installed Asterisk 16.7.0 on Debian Buster, I can't find a way to enable HTTPS. Asterisk is running as asterisk:asterisk: asterisk 11097 0.3 6.7 741352 67984 ? Ssl 17:53 0:06 /usr/sbin/asterisk -g -f -p -U asterisk # cat /etc/asterisk/http.conf [general] servername=Asterisk enabled=yes bindaddr=0.0.0.0 bindport=8088 tlsenable=yes tlsbindaddr=0.0.0.0:8089 tlscertfile=/etc/asterisk/keys/asterisk.pem ;tlsprivatekey=keys/asterisk.key # ls -lR /etc/asterisk/keys /etc/asterisk/keys: total 32 -rw-rw-r-- 1 asterisk asterisk 1229 janv. 6 16:00 asterisk.crt -rw-rw-r-- 1 asterisk asterisk 586 janv. 6 15:59 asterisk.csr -rw-rw-r-- 1 asterisk asterisk 887 janv. 6 15:59 asterisk.key -rw-rw-r-- 1 asterisk asterisk 2116 janv. 6 16:00 asterisk.pem -rw-rw-r-- 1 asterisk asterisk 158 janv. 6 15:59 ca.cfg -rw-rw-r-- 1 asterisk asterisk 1773 janv. 6 15:59 ca.crt -rw-rw-r-- 1 asterisk asterisk 3311 janv. 6 15:59 ca.key -rw-rw-r-- 1 asterisk asterisk 132 janv. 6 15:59 tmp.cfg # grep TLS /var/log/asterisk/full | tail -1 [Jan 6 18:24:45] ERROR[11221] tcptls.c: TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem> # su - asterisk --shell /bin/sh --command 'cat /etc/asterisk/keys/asterisk.pem' -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQCxllxfOR9sFwyKiKPZErUcBF1zlwTVZ9XvemA/8yQY7aIVw2ce ... RE3X5iJqFIRupoIQZQJBAJnDX8dCQbqLvmAV6/Ubiz0XHjHzLEkhMKtF/ksbgou1 zykmu2rlUbnZ+DPFj/lw9WH7DaIxtogZ7qKSp0dd95g-----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDXzCCAUcCAQEwDQYJKoZIhvcNAQELBQAwNTEcMBoGA1UEAwwTQXN0ZXJpc2sg ... XkVjfneCBgllQhLrnb9oUBuHQCy3qtlPkXpXfAtIsodnoV1mrpI3+iKH7xWc4AtQ Rbrt -----END CERTIFICATE----- Any clue ? Best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20200106/24344917/attachment.html>
Antony Stone
2020-Jan-06 17:42 UTC
[asterisk-users] TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem>
On Monday 06 January 2020 at 18:33:39, Olivier wrote:> Hello, > > On a newly re-installed Asterisk 16.7.0 on Debian Buster, I can't find a > way to enable HTTPS.> # cat /etc/asterisk/http.conf > [general] > servername=Asterisk > enabled=yes > bindaddr=0.0.0.0 > bindport=8088 > tlsenable=yes > tlsbindaddr=0.0.0.0:8089 > tlscertfile=/etc/asterisk/keys/asterisk.pemHave you tried pointing to the .crt file instead of the .pem file?> ;tlsprivatekey=keys/asterisk.keyWhy is that commented out (and why is it a relative path)?> # ls -lR /etc/asterisk/keys > /etc/asterisk/keys: > total 32 > -rw-rw-r-- 1 asterisk asterisk 1229 janv. 6 16:00 asterisk.crt > -rw-rw-r-- 1 asterisk asterisk 586 janv. 6 15:59 asterisk.csr > -rw-rw-r-- 1 asterisk asterisk 887 janv. 6 15:59 asterisk.key > -rw-rw-r-- 1 asterisk asterisk 2116 janv. 6 16:00 asterisk.pem > -rw-rw-r-- 1 asterisk asterisk 158 janv. 6 15:59 ca.cfg > -rw-rw-r-- 1 asterisk asterisk 1773 janv. 6 15:59 ca.crt > -rw-rw-r-- 1 asterisk asterisk 3311 janv. 6 15:59 ca.key > -rw-rw-r-- 1 asterisk asterisk 132 janv. 6 15:59 tmp.cfg> Any clue ?Try reducing the permissions on the .crt and especially the .key files, so they're not world-readable. Many applications will refuse to start if the certificate or key files are insecure. Antony. -- Salad is what food eats. Please reply to the list; please *don't* CC me.
Olivier
2020-Jan-06 18:01 UTC
[asterisk-users] TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem>
May I add I could successfully (if pjsip show transports has any meaning) add a PJSIP TLS-transport with: [transport-tls] type=transport protocol=tls bind=0.0.0.0:5061 cert_file=/etc/asterisk/keys/asterisk.crt priv_key_file=/etc/asterisk/keys/asterisk.key method=tlsv1 Le lun. 6 janv. 2020 à 18:33, Olivier <oza.4h07 at gmail.com> a écrit :> Hello, > > On a newly re-installed Asterisk 16.7.0 on Debian Buster, I can't find a > way to enable HTTPS. > Asterisk is running as asterisk:asterisk: > > asterisk 11097 0.3 6.7 741352 67984 ? Ssl 17:53 0:06 > /usr/sbin/asterisk -g -f -p -U asterisk > > # cat /etc/asterisk/http.conf > [general] > servername=Asterisk > enabled=yes > bindaddr=0.0.0.0 > bindport=8088 > tlsenable=yes > tlsbindaddr=0.0.0.0:8089 > tlscertfile=/etc/asterisk/keys/asterisk.pem > ;tlsprivatekey=keys/asterisk.key > > # ls -lR /etc/asterisk/keys > /etc/asterisk/keys: > total 32 > -rw-rw-r-- 1 asterisk asterisk 1229 janv. 6 16:00 asterisk.crt > -rw-rw-r-- 1 asterisk asterisk 586 janv. 6 15:59 asterisk.csr > -rw-rw-r-- 1 asterisk asterisk 887 janv. 6 15:59 asterisk.key > -rw-rw-r-- 1 asterisk asterisk 2116 janv. 6 16:00 asterisk.pem > -rw-rw-r-- 1 asterisk asterisk 158 janv. 6 15:59 ca.cfg > -rw-rw-r-- 1 asterisk asterisk 1773 janv. 6 15:59 ca.crt > -rw-rw-r-- 1 asterisk asterisk 3311 janv. 6 15:59 ca.key > -rw-rw-r-- 1 asterisk asterisk 132 janv. 6 15:59 tmp.cfg > > # grep TLS /var/log/asterisk/full | tail -1 > [Jan 6 18:24:45] ERROR[11221] tcptls.c: TLS/SSL error loading cert file. > </etc/asterisk/keys/asterisk.pem> > > # su - asterisk --shell /bin/sh --command 'cat > /etc/asterisk/keys/asterisk.pem' > -----BEGIN RSA PRIVATE KEY----- > MIICXAIBAAKBgQCxllxfOR9sFwyKiKPZErUcBF1zlwTVZ9XvemA/8yQY7aIVw2ce > ... > RE3X5iJqFIRupoIQZQJBAJnDX8dCQbqLvmAV6/Ubiz0XHjHzLEkhMKtF/ksbgou1 > zykmu2rlUbnZ+DPFj/lw9WH7DaIxtogZ7qKSp0dd95g> -----END RSA PRIVATE KEY----- > -----BEGIN CERTIFICATE----- > MIIDXzCCAUcCAQEwDQYJKoZIhvcNAQELBQAwNTEcMBoGA1UEAwwTQXN0ZXJpc2sg > ... > XkVjfneCBgllQhLrnb9oUBuHQCy3qtlPkXpXfAtIsodnoV1mrpI3+iKH7xWc4AtQ > Rbrt > -----END CERTIFICATE----- > > > Any clue ? > > Best regards >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20200106/972de67f/attachment.html>
Antony Stone
2020-Jan-06 18:06 UTC
[asterisk-users] TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem>
On Monday 06 January 2020 at 19:01:09, Olivier wrote:> May I add I could successfully (if pjsip show transports has any meaning) > add a PJSIP TLS-transport with: > > [transport-tls] > type=transport > protocol=tls > bind=0.0.0.0:5061 > cert_file=/etc/asterisk/keys/asterisk.crt > priv_key_file=/etc/asterisk/keys/asterisk.keySo, that does indeed suggest that an absolute path + the .crt file instead of the .pem file might work...> method=tlsv1 > > Le lun. 6 janv. 2020 à 18:33, Olivier <oza.4h07 at gmail.com> a écrit : > > Hello, > > > > On a newly re-installed Asterisk 16.7.0 on Debian Buster, I can't find a > > way to enable HTTPS. > > Asterisk is running as asterisk:asterisk: > > > > asterisk 11097 0.3 6.7 741352 67984 ? Ssl 17:53 0:06 > > /usr/sbin/asterisk -g -f -p -U asterisk > > > > # cat /etc/asterisk/http.conf > > [general] > > servername=Asterisk > > enabled=yes > > bindaddr=0.0.0.0 > > bindport=8088 > > tlsenable=yes > > tlsbindaddr=0.0.0.0:8089 > > tlscertfile=/etc/asterisk/keys/asterisk.pem > > ;tlsprivatekey=keys/asterisk.key > > > > # ls -lR /etc/asterisk/keys > > /etc/asterisk/keys: > > total 32 > > -rw-rw-r-- 1 asterisk asterisk 1229 janv. 6 16:00 asterisk.crt > > -rw-rw-r-- 1 asterisk asterisk 586 janv. 6 15:59 asterisk.csr > > -rw-rw-r-- 1 asterisk asterisk 887 janv. 6 15:59 asterisk.key > > -rw-rw-r-- 1 asterisk asterisk 2116 janv. 6 16:00 asterisk.pem > > -rw-rw-r-- 1 asterisk asterisk 158 janv. 6 15:59 ca.cfg > > -rw-rw-r-- 1 asterisk asterisk 1773 janv. 6 15:59 ca.crt > > -rw-rw-r-- 1 asterisk asterisk 3311 janv. 6 15:59 ca.key > > -rw-rw-r-- 1 asterisk asterisk 132 janv. 6 15:59 tmp.cfg > > > > # grep TLS /var/log/asterisk/full | tail -1 > > [Jan 6 18:24:45] ERROR[11221] tcptls.c: TLS/SSL error loading cert file. > > </etc/asterisk/keys/asterisk.pem> > > > > # su - asterisk --shell /bin/sh --command 'cat > > /etc/asterisk/keys/asterisk.pem' > > -----BEGIN RSA PRIVATE KEY----- > > MIICXAIBAAKBgQCxllxfOR9sFwyKiKPZErUcBF1zlwTVZ9XvemA/8yQY7aIVw2ce > > ... > > RE3X5iJqFIRupoIQZQJBAJnDX8dCQbqLvmAV6/Ubiz0XHjHzLEkhMKtF/ksbgou1 > > zykmu2rlUbnZ+DPFj/lw9WH7DaIxtogZ7qKSp0dd95g> > -----END RSA PRIVATE KEY----- > > -----BEGIN CERTIFICATE----- > > MIIDXzCCAUcCAQEwDQYJKoZIhvcNAQELBQAwNTEcMBoGA1UEAwwTQXN0ZXJpc2sg > > ... > > XkVjfneCBgllQhLrnb9oUBuHQCy3qtlPkXpXfAtIsodnoV1mrpI3+iKH7xWc4AtQ > > Rbrt > > -----END CERTIFICATE----- > > > > > > Any clue ? > > > > Best regards-- I can tell you I wish those people just would be quiet. It would be best for the world. That's not going to happen, so we have to work in the right fashion with these security researchers. - Steve Ballmer, at Microsoft's Worldwide Partner Conference in New Orleans, October 2003 - http://news.microsoft.com/speeches/steve-ballmer-speech-transcript- microsoft-worldwide-partner-conference-2003/ Please reply to the list; please *don't* CC me.
Olivier
2020-Jan-08 09:04 UTC
[asterisk-users] TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem> [Almost SOLVED]
Hello, Le lun. 6 janv. 2020 à 19:01, Olivier <oza.4h07 at gmail.com> a écrit :> May I add I could successfully (if pjsip show transports has any meaning) > add a PJSIP TLS-transport with: > > [transport-tls] > type=transport > protocol=tls > bind=0.0.0.0:5061 > cert_file=/etc/asterisk/keys/asterisk.crt > priv_key_file=/etc/asterisk/keys/asterisk.key > method=tlsv1 > > Le lun. 6 janv. 2020 à 18:33, Olivier <oza.4h07 at gmail.com> a écrit : > >> Hello, >> >> On a newly re-installed Asterisk 16.7.0 on Debian Buster, I can't find a >> way to enable HTTPS. >> Asterisk is running as asterisk:asterisk: >> >> asterisk 11097 0.3 6.7 741352 67984 ? Ssl 17:53 0:06 >> /usr/sbin/asterisk -g -f -p -U asterisk >> >> # cat /etc/asterisk/http.conf >> [general] >> servername=Asterisk >> enabled=yes >> bindaddr=0.0.0.0 >> bindport=8088 >> tlsenable=yes >> tlsbindaddr=0.0.0.0:8089 >> tlscertfile=/etc/asterisk/keys/asterisk.pem >> ;tlsprivatekey=keys/asterisk.key >> >> # ls -lR /etc/asterisk/keys >> /etc/asterisk/keys: >> total 32 >> -rw-rw-r-- 1 asterisk asterisk 1229 janv. 6 16:00 asterisk.crt >> -rw-rw-r-- 1 asterisk asterisk 586 janv. 6 15:59 asterisk.csr >> -rw-rw-r-- 1 asterisk asterisk 887 janv. 6 15:59 asterisk.key >> -rw-rw-r-- 1 asterisk asterisk 2116 janv. 6 16:00 asterisk.pem >> -rw-rw-r-- 1 asterisk asterisk 158 janv. 6 15:59 ca.cfg >> -rw-rw-r-- 1 asterisk asterisk 1773 janv. 6 15:59 ca.crt >> -rw-rw-r-- 1 asterisk asterisk 3311 janv. 6 15:59 ca.key >> -rw-rw-r-- 1 asterisk asterisk 132 janv. 6 15:59 tmp.cfg >> >> # grep TLS /var/log/asterisk/full | tail -1 >> [Jan 6 18:24:45] ERROR[11221] tcptls.c: TLS/SSL error loading cert file. >> </etc/asterisk/keys/asterisk.pem> >> >> # su - asterisk --shell /bin/sh --command 'cat >> /etc/asterisk/keys/asterisk.pem' >> -----BEGIN RSA PRIVATE KEY----- >> MIICXAIBAAKBgQCxllxfOR9sFwyKiKPZErUcBF1zlwTVZ9XvemA/8yQY7aIVw2ce >> ... >> RE3X5iJqFIRupoIQZQJBAJnDX8dCQbqLvmAV6/Ubiz0XHjHzLEkhMKtF/ksbgou1 >> zykmu2rlUbnZ+DPFj/lw9WH7DaIxtogZ7qKSp0dd95g>> -----END RSA PRIVATE KEY----- >> -----BEGIN CERTIFICATE----- >> MIIDXzCCAUcCAQEwDQYJKoZIhvcNAQELBQAwNTEcMBoGA1UEAwwTQXN0ZXJpc2sg >> ... >> XkVjfneCBgllQhLrnb9oUBuHQCy3qtlPkXpXfAtIsodnoV1mrpI3+iKH7xWc4AtQ >> Rbrt >> -----END CERTIFICATE----- >> >> >> Any clue ? >> >> Best regards >> >After tens of trying different settings, I tried this morning to simply copy certs files from a running FreePBX 15 instance to my Debian Buster target. To my surprise, it worked as for the very first time, I now have : # asterisk -rx 'http show status' HTTP Server Status: Prefix: Server: Asterisk/16.7.0 Server Enabled and Bound to [::]:8088 HTTPS Server Enabled and Bound to [::]:8089 Now, to fully solve the issue, I need to understand why things didn't work previously and now do work correctly. Current /etc/asterisk/keys is: # ls -alR keys keys: total 56 drwxr-xr-x 3 asterisk asterisk 4096 janv. 8 09:31 . drwxrwxr-x 3 asterisk asterisk 4096 janv. 8 09:35 .. -rw------- 1 asterisk asterisk 1675 janv. 8 09:31 api_oauth.key -rw------- 1 asterisk asterisk 451 janv. 8 09:31 api_oauth_public.key -rw-r--r-- 1 asterisk asterisk 191 janv. 8 09:31 ca.cfg -rw-r--r-- 1 asterisk asterisk 1724 janv. 8 09:31 ca.crt -rw-r--r-- 1 asterisk asterisk 3243 janv. 8 09:31 ca.key -rw------- 1 asterisk asterisk 1712 janv. 8 09:31 default.crt -rw------- 1 asterisk asterisk 1610 janv. 8 09:31 default.csr -rw------- 1 asterisk asterisk 3247 janv. 8 09:31 default.key -rw------- 1 asterisk asterisk 4959 janv. 8 09:31 default.pem drwxr-xr-x 2 asterisk asterisk 4096 janv. 8 09:31 integration -rw-r--r-- 1 asterisk asterisk 1024 janv. 8 09:31 .rnd keys/integration: total 24 drwxr-xr-x 2 asterisk asterisk 4096 janv. 8 09:31 . drwxr-xr-x 3 asterisk asterisk 4096 janv. 8 09:31 .. -rw------- 1 asterisk asterisk 4959 janv. 8 09:31 certificate.pem -rw------- 1 asterisk asterisk 1712 janv. 8 09:31 webserver.crt -rw------- 1 asterisk asterisk 3247 janv. 8 09:31 webserver.key Asterisk is running as asterisk:asterisk. /etc/asterisk/http.conf is: # cat http.conf [general] enabled=yes enablestatic=no bindaddr=:: bindport=8088 prefixsessionlimit=100 session_inactivity=30000 session_keep_alive=15000 tlsenable=yes tlsbindaddr=[::]:8089 tlscertfile=/etc/asterisk/keys/integration/certificate.pem tlsprivatekey=/etc/asterisk/keys/integration/webserver.key # cat /etc/asterisk/keys/ca.cfg [req] distinguished_name = req_distinguished_name prompt = no default_md = sha256 [ca] default_md = sha256 [req_distinguished_name] CN=localhost O=localhost [ext] basicConstraints=CA:TRUE Is there a way to find how FreePBX generated the /etc/asterisk/keys tree ? Best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20200108/65c854ea/attachment.html>
Reasonably Related Threads
- TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem> [Almost SOLVED]
- TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem>
- [SOLVED]Re: TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem> [Almost SOLVED]
- Question on WebRTC configuration
- WSS Socket Configuration