Jonas Kellens
2017-Jun-02 12:36 UTC
[asterisk-users] Let's encrypt privkey : Specified certificate file could not be used
Hello I get the following error when using our Let's Encrypt ssl certificate for webRTC calls : [Jun 2 14:29:28] == DTLS ECDH initialized (secp256r1), faster PFS enabled [Jun 2 14:29:28] ERROR[27360][C-00000ae5]: res_rtp_asterisk.c:1441 ast_rtp_dtls_set_configuration: Specified certificate file '/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' for RTP instance '0x7f920c538a78' could not be used [Jun 2 14:29:28] ERROR[27360][C-00000ae5]: chan_sip.c:5941 dialog_initialize_dtls_srtp: Attempted to set an invalid DTLS-SRTP configuration on RTP instance '0x7f920c538a78' (ws.mydomain.tld is of course masked) Any idea why Asterisk has a problem with the certificate ? Kind regards. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170602/3cfedb9a/attachment.html>
Daniel Tryba
2017-Jun-02 20:08 UTC
[asterisk-users] Let's encrypt privkey : Specified certificate file could not be used
On Fri, Jun 02, 2017 at 02:36:38PM +0200, Jonas Kellens wrote:> [Jun 2 14:29:28] == DTLS ECDH initialized (secp256r1), faster PFS enabled > [Jun 2 14:29:28] ERROR[27360][C-00000ae5]: res_rtp_asterisk.c:1441 > ast_rtp_dtls_set_configuration: Specified certificate file > '/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' for RTP instance > '0x7f920c538a78' could not be usedWhat size is the privatekey? There is a script to create cert for asterisk: https://github.com/asterisk/asterisk/blob/master/contrib/scripts/ast_tls_cert It create a 1024b keypair, maybe for a good reason. Certbot its size is 2048 by default. Try adding --rsa-key-size 1024 (our signing a "handcrafted" key)
James Cloos
2017-Jun-03 06:09 UTC
[asterisk-users] Let's encrypt privkey : Specified certificate file could not be used
>>>>> "JK" == Jonas Kellens <jonas.kellens at telenet.be> writes:JK> [Jun 2 14:29:28] ERROR[27360][C-00000ae5]: res_rtp_asterisk.c:1441 JK> ast_rtp_dtls_set_configuration: Specified certificate file JK> '/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' for RTP instance JK> '0x7f920c538a78' could not be used That error means that openssl's SSL_CTX_use_certificate_file() returned an error. The later error is just a result of that one. Does the uid/gid used for asterisk have access to the key? If the uid you use for asterisk is called asterisk, run this as root: su -c 'cat /etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' - asterisk If it fails, then the problem is permissions. You may need to alter the permissions on /etc/letsencrypt to allow non-root uids to access the symlinks and their targets. -JimC -- James Cloos <cloos at jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
Jonas Kellens
2017-Jun-03 09:04 UTC
[asterisk-users] Let's encrypt privkey : Specified certificate file could not be used
Hello James I am running asterisk as root, just to 'disable' all issues related to file rights. So this should not be the problem. Kind regards. Op 03-06-17 om 08:09 schreef James Cloos:>>>>>> "JK" == Jonas Kellens <jonas.kellens at telenet.be> writes: > JK> [Jun 2 14:29:28] ERROR[27360][C-00000ae5]: res_rtp_asterisk.c:1441 > JK> ast_rtp_dtls_set_configuration: Specified certificate file > JK> '/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' for RTP instance > JK> '0x7f920c538a78' could not be used > > That error means that openssl's SSL_CTX_use_certificate_file() returned > an error. > > The later error is just a result of that one. > > Does the uid/gid used for asterisk have access to the key? > > If the uid you use for asterisk is called asterisk, run this as root: > > su -c 'cat /etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' - asterisk > > If it fails, then the problem is permissions. > > You may need to alter the permissions on /etc/letsencrypt to allow > non-root uids to access the symlinks and their targets. > > -JimC-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170603/67b37346/attachment.html>