asterisk users - Jun 2017 - Let's encrypt privkey : Specified certificate file could not be used

Hello

I get the following error when using our Let's Encrypt ssl certificate 
for webRTC calls :

[Jun  2 14:29:28]   == DTLS ECDH initialized (secp256r1), faster PFS enabled
[Jun  2 14:29:28] ERROR[27360][C-00000ae5]: res_rtp_asterisk.c:1441 
ast_rtp_dtls_set_configuration: Specified certificate file 
'/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' for RTP instance 
'0x7f920c538a78' could not be used
[Jun  2 14:29:28] ERROR[27360][C-00000ae5]: chan_sip.c:5941 
dialog_initialize_dtls_srtp: Attempted to set an invalid DTLS-SRTP 
configuration on RTP instance '0x7f920c538a78'

(ws.mydomain.tld is of course masked)


Any idea why Asterisk has a problem with the certificate ?


Kind regards.


-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170602/3cfedb9a/attachment.html>

On Fri, Jun 02, 2017 at 02:36:38PM +0200, Jonas Kellens
wrote:
> [Jun  2 14:29:28]   == DTLS ECDH initialized (secp256r1), faster PFS
enabled
> [Jun  2 14:29:28] ERROR[27360][C-00000ae5]: res_rtp_asterisk.c:1441
> ast_rtp_dtls_set_configuration: Specified certificate file
> '/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' for RTP
instance
> '0x7f920c538a78' could not be used
What size is the privatekey? There is a script to create cert for
asterisk:
https://github.com/asterisk/asterisk/blob/master/contrib/scripts/ast_tls_cert
It create a 1024b keypair, maybe for a good reason. Certbot its size is
2048 by default. Try adding --rsa-key-size 1024 (our signing a
"handcrafted" key)

>>>>> "JK" == Jonas Kellens <jonas.kellens at
telenet.be> writes:
JK> [Jun  2 14:29:28] ERROR[27360][C-00000ae5]: res_rtp_asterisk.c:1441
JK> ast_rtp_dtls_set_configuration: Specified certificate file
JK> '/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' for RTP
instance
JK> '0x7f920c538a78' could not be used

That error means that openssl's SSL_CTX_use_certificate_file() returned
an error.

The later error is just a result of that one.

Does the uid/gid used for asterisk have access to the key?

If the uid you use for asterisk is called asterisk, run this as root:

su -c 'cat /etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' - asterisk

If it fails, then the problem is permissions.

You may need to alter the permissions on /etc/letsencrypt to allow
non-root uids to access the symlinks and their targets.

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6

Hello James

I am running asterisk as root, just to 'disable' all issues related to 
file rights. So this should not be the problem.


Kind regards.


Op 03-06-17 om 08:09 schreef James Cloos:
>>>>>> "JK" == Jonas Kellens <jonas.kellens at
telenet.be> writes:
> JK> [Jun  2 14:29:28] ERROR[27360][C-00000ae5]: res_rtp_asterisk.c:1441
> JK> ast_rtp_dtls_set_configuration: Specified certificate file
> JK> '/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' for RTP
instance
> JK> '0x7f920c538a78' could not be used
>
> That error means that openssl's SSL_CTX_use_certificate_file() returned
> an error.
>
> The later error is just a result of that one.
>
> Does the uid/gid used for asterisk have access to the key?
>
> If the uid you use for asterisk is called asterisk, run this as root:
>
> su -c 'cat /etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' -
asterisk
>
> If it fails, then the problem is permissions.
>
> You may need to alter the permissions on /etc/letsencrypt to allow
> non-root uids to access the symlinks and their targets.
>
> -JimC
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170603/67b37346/attachment.html>