Olivier
2020-Jan-08 09:04 UTC
[asterisk-users] TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem> [Almost SOLVED]
Hello, Le lun. 6 janv. 2020 à 19:01, Olivier <oza.4h07 at gmail.com> a écrit :> May I add I could successfully (if pjsip show transports has any meaning) > add a PJSIP TLS-transport with: > > [transport-tls] > type=transport > protocol=tls > bind=0.0.0.0:5061 > cert_file=/etc/asterisk/keys/asterisk.crt > priv_key_file=/etc/asterisk/keys/asterisk.key > method=tlsv1 > > Le lun. 6 janv. 2020 à 18:33, Olivier <oza.4h07 at gmail.com> a écrit : > >> Hello, >> >> On a newly re-installed Asterisk 16.7.0 on Debian Buster, I can't find a >> way to enable HTTPS. >> Asterisk is running as asterisk:asterisk: >> >> asterisk 11097 0.3 6.7 741352 67984 ? Ssl 17:53 0:06 >> /usr/sbin/asterisk -g -f -p -U asterisk >> >> # cat /etc/asterisk/http.conf >> [general] >> servername=Asterisk >> enabled=yes >> bindaddr=0.0.0.0 >> bindport=8088 >> tlsenable=yes >> tlsbindaddr=0.0.0.0:8089 >> tlscertfile=/etc/asterisk/keys/asterisk.pem >> ;tlsprivatekey=keys/asterisk.key >> >> # ls -lR /etc/asterisk/keys >> /etc/asterisk/keys: >> total 32 >> -rw-rw-r-- 1 asterisk asterisk 1229 janv. 6 16:00 asterisk.crt >> -rw-rw-r-- 1 asterisk asterisk 586 janv. 6 15:59 asterisk.csr >> -rw-rw-r-- 1 asterisk asterisk 887 janv. 6 15:59 asterisk.key >> -rw-rw-r-- 1 asterisk asterisk 2116 janv. 6 16:00 asterisk.pem >> -rw-rw-r-- 1 asterisk asterisk 158 janv. 6 15:59 ca.cfg >> -rw-rw-r-- 1 asterisk asterisk 1773 janv. 6 15:59 ca.crt >> -rw-rw-r-- 1 asterisk asterisk 3311 janv. 6 15:59 ca.key >> -rw-rw-r-- 1 asterisk asterisk 132 janv. 6 15:59 tmp.cfg >> >> # grep TLS /var/log/asterisk/full | tail -1 >> [Jan 6 18:24:45] ERROR[11221] tcptls.c: TLS/SSL error loading cert file. >> </etc/asterisk/keys/asterisk.pem> >> >> # su - asterisk --shell /bin/sh --command 'cat >> /etc/asterisk/keys/asterisk.pem' >> -----BEGIN RSA PRIVATE KEY----- >> MIICXAIBAAKBgQCxllxfOR9sFwyKiKPZErUcBF1zlwTVZ9XvemA/8yQY7aIVw2ce >> ... >> RE3X5iJqFIRupoIQZQJBAJnDX8dCQbqLvmAV6/Ubiz0XHjHzLEkhMKtF/ksbgou1 >> zykmu2rlUbnZ+DPFj/lw9WH7DaIxtogZ7qKSp0dd95g>> -----END RSA PRIVATE KEY----- >> -----BEGIN CERTIFICATE----- >> MIIDXzCCAUcCAQEwDQYJKoZIhvcNAQELBQAwNTEcMBoGA1UEAwwTQXN0ZXJpc2sg >> ... >> XkVjfneCBgllQhLrnb9oUBuHQCy3qtlPkXpXfAtIsodnoV1mrpI3+iKH7xWc4AtQ >> Rbrt >> -----END CERTIFICATE----- >> >> >> Any clue ? >> >> Best regards >> >After tens of trying different settings, I tried this morning to simply copy certs files from a running FreePBX 15 instance to my Debian Buster target. To my surprise, it worked as for the very first time, I now have : # asterisk -rx 'http show status' HTTP Server Status: Prefix: Server: Asterisk/16.7.0 Server Enabled and Bound to [::]:8088 HTTPS Server Enabled and Bound to [::]:8089 Now, to fully solve the issue, I need to understand why things didn't work previously and now do work correctly. Current /etc/asterisk/keys is: # ls -alR keys keys: total 56 drwxr-xr-x 3 asterisk asterisk 4096 janv. 8 09:31 . drwxrwxr-x 3 asterisk asterisk 4096 janv. 8 09:35 .. -rw------- 1 asterisk asterisk 1675 janv. 8 09:31 api_oauth.key -rw------- 1 asterisk asterisk 451 janv. 8 09:31 api_oauth_public.key -rw-r--r-- 1 asterisk asterisk 191 janv. 8 09:31 ca.cfg -rw-r--r-- 1 asterisk asterisk 1724 janv. 8 09:31 ca.crt -rw-r--r-- 1 asterisk asterisk 3243 janv. 8 09:31 ca.key -rw------- 1 asterisk asterisk 1712 janv. 8 09:31 default.crt -rw------- 1 asterisk asterisk 1610 janv. 8 09:31 default.csr -rw------- 1 asterisk asterisk 3247 janv. 8 09:31 default.key -rw------- 1 asterisk asterisk 4959 janv. 8 09:31 default.pem drwxr-xr-x 2 asterisk asterisk 4096 janv. 8 09:31 integration -rw-r--r-- 1 asterisk asterisk 1024 janv. 8 09:31 .rnd keys/integration: total 24 drwxr-xr-x 2 asterisk asterisk 4096 janv. 8 09:31 . drwxr-xr-x 3 asterisk asterisk 4096 janv. 8 09:31 .. -rw------- 1 asterisk asterisk 4959 janv. 8 09:31 certificate.pem -rw------- 1 asterisk asterisk 1712 janv. 8 09:31 webserver.crt -rw------- 1 asterisk asterisk 3247 janv. 8 09:31 webserver.key Asterisk is running as asterisk:asterisk. /etc/asterisk/http.conf is: # cat http.conf [general] enabled=yes enablestatic=no bindaddr=:: bindport=8088 prefixsessionlimit=100 session_inactivity=30000 session_keep_alive=15000 tlsenable=yes tlsbindaddr=[::]:8089 tlscertfile=/etc/asterisk/keys/integration/certificate.pem tlsprivatekey=/etc/asterisk/keys/integration/webserver.key # cat /etc/asterisk/keys/ca.cfg [req] distinguished_name = req_distinguished_name prompt = no default_md = sha256 [ca] default_md = sha256 [req_distinguished_name] CN=localhost O=localhost [ext] basicConstraints=CA:TRUE Is there a way to find how FreePBX generated the /etc/asterisk/keys tree ? Best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20200108/65c854ea/attachment.html>
Olivier
2020-Apr-17 14:34 UTC
[asterisk-users] [SOLVED]Re: TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem> [Almost SOLVED]
Hello, After countless hours on, this I found the root cause of HTTPS settings on Debian Buster. All this came from ast_tls_cert script using 1024 bits-long keys where Debian's defaut was to require at least 2048-long keys ! Simply passing -b 2048 to ast_tls_cert solved it. 1. May I suggest mentioning explicitly this possibility in wiki page [1] ? 2. What would you say of adding an extra input argument to have certificates built for a specific duration (default is 365 days and some may expect a different duration) ? Cheers [1] https://wiki.asterisk.org/wiki/display/AST/Configuring+Asterisk+for+WebRTC+Clients Le mer. 8 janv. 2020 à 10:04, Olivier <oza.4h07 at gmail.com> a écrit :> Hello, > > Le lun. 6 janv. 2020 à 19:01, Olivier <oza.4h07 at gmail.com> a écrit : > >> May I add I could successfully (if pjsip show transports has any meaning) >> add a PJSIP TLS-transport with: >> >> [transport-tls] >> type=transport >> protocol=tls >> bind=0.0.0.0:5061 >> cert_file=/etc/asterisk/keys/asterisk.crt >> priv_key_file=/etc/asterisk/keys/asterisk.key >> method=tlsv1 >> >> Le lun. 6 janv. 2020 à 18:33, Olivier <oza.4h07 at gmail.com> a écrit : >> >>> Hello, >>> >>> On a newly re-installed Asterisk 16.7.0 on Debian Buster, I can't find a >>> way to enable HTTPS. >>> Asterisk is running as asterisk:asterisk: >>> >>> asterisk 11097 0.3 6.7 741352 67984 ? Ssl 17:53 0:06 >>> /usr/sbin/asterisk -g -f -p -U asterisk >>> >>> # cat /etc/asterisk/http.conf >>> [general] >>> servername=Asterisk >>> enabled=yes >>> bindaddr=0.0.0.0 >>> bindport=8088 >>> tlsenable=yes >>> tlsbindaddr=0.0.0.0:8089 >>> tlscertfile=/etc/asterisk/keys/asterisk.pem >>> ;tlsprivatekey=keys/asterisk.key >>> >>> # ls -lR /etc/asterisk/keys >>> /etc/asterisk/keys: >>> total 32 >>> -rw-rw-r-- 1 asterisk asterisk 1229 janv. 6 16:00 asterisk.crt >>> -rw-rw-r-- 1 asterisk asterisk 586 janv. 6 15:59 asterisk.csr >>> -rw-rw-r-- 1 asterisk asterisk 887 janv. 6 15:59 asterisk.key >>> -rw-rw-r-- 1 asterisk asterisk 2116 janv. 6 16:00 asterisk.pem >>> -rw-rw-r-- 1 asterisk asterisk 158 janv. 6 15:59 ca.cfg >>> -rw-rw-r-- 1 asterisk asterisk 1773 janv. 6 15:59 ca.crt >>> -rw-rw-r-- 1 asterisk asterisk 3311 janv. 6 15:59 ca.key >>> -rw-rw-r-- 1 asterisk asterisk 132 janv. 6 15:59 tmp.cfg >>> >>> # grep TLS /var/log/asterisk/full | tail -1 >>> [Jan 6 18:24:45] ERROR[11221] tcptls.c: TLS/SSL error loading cert >>> file. </etc/asterisk/keys/asterisk.pem> >>> >>> # su - asterisk --shell /bin/sh --command 'cat >>> /etc/asterisk/keys/asterisk.pem' >>> -----BEGIN RSA PRIVATE KEY----- >>> MIICXAIBAAKBgQCxllxfOR9sFwyKiKPZErUcBF1zlwTVZ9XvemA/8yQY7aIVw2ce >>> ... >>> RE3X5iJqFIRupoIQZQJBAJnDX8dCQbqLvmAV6/Ubiz0XHjHzLEkhMKtF/ksbgou1 >>> zykmu2rlUbnZ+DPFj/lw9WH7DaIxtogZ7qKSp0dd95g>>> -----END RSA PRIVATE KEY----- >>> -----BEGIN CERTIFICATE----- >>> MIIDXzCCAUcCAQEwDQYJKoZIhvcNAQELBQAwNTEcMBoGA1UEAwwTQXN0ZXJpc2sg >>> ... >>> XkVjfneCBgllQhLrnb9oUBuHQCy3qtlPkXpXfAtIsodnoV1mrpI3+iKH7xWc4AtQ >>> Rbrt >>> -----END CERTIFICATE----- >>> >>> >>> Any clue ? >>> >>> Best regards >>> >> > > After tens of trying different settings, I tried this morning to simply > copy certs files from a running FreePBX 15 instance to my Debian Buster > target. To my surprise, it worked as for the very first time, I now have : > > # asterisk -rx 'http show status' > HTTP Server Status: > Prefix: > Server: Asterisk/16.7.0 > Server Enabled and Bound to [::]:8088 > > HTTPS Server Enabled and Bound to [::]:8089 > > > Now, to fully solve the issue, I need to understand why things didn't work > previously and now do work correctly. > > Current /etc/asterisk/keys is: > # ls -alR keys > keys: > total 56 > drwxr-xr-x 3 asterisk asterisk 4096 janv. 8 09:31 . > drwxrwxr-x 3 asterisk asterisk 4096 janv. 8 09:35 .. > -rw------- 1 asterisk asterisk 1675 janv. 8 09:31 api_oauth.key > -rw------- 1 asterisk asterisk 451 janv. 8 09:31 api_oauth_public.key > -rw-r--r-- 1 asterisk asterisk 191 janv. 8 09:31 ca.cfg > -rw-r--r-- 1 asterisk asterisk 1724 janv. 8 09:31 ca.crt > -rw-r--r-- 1 asterisk asterisk 3243 janv. 8 09:31 ca.key > -rw------- 1 asterisk asterisk 1712 janv. 8 09:31 default.crt > -rw------- 1 asterisk asterisk 1610 janv. 8 09:31 default.csr > -rw------- 1 asterisk asterisk 3247 janv. 8 09:31 default.key > -rw------- 1 asterisk asterisk 4959 janv. 8 09:31 default.pem > drwxr-xr-x 2 asterisk asterisk 4096 janv. 8 09:31 integration > -rw-r--r-- 1 asterisk asterisk 1024 janv. 8 09:31 .rnd > > keys/integration: > total 24 > drwxr-xr-x 2 asterisk asterisk 4096 janv. 8 09:31 . > drwxr-xr-x 3 asterisk asterisk 4096 janv. 8 09:31 .. > -rw------- 1 asterisk asterisk 4959 janv. 8 09:31 certificate.pem > -rw------- 1 asterisk asterisk 1712 janv. 8 09:31 webserver.crt > -rw------- 1 asterisk asterisk 3247 janv. 8 09:31 webserver.key > > Asterisk is running as asterisk:asterisk. > > /etc/asterisk/http.conf is: > # cat http.conf > > [general] > enabled=yes > enablestatic=no > bindaddr=:: > bindport=8088 > prefix> sessionlimit=100 > session_inactivity=30000 > session_keep_alive=15000 > tlsenable=yes > tlsbindaddr=[::]:8089 > tlscertfile=/etc/asterisk/keys/integration/certificate.pem > tlsprivatekey=/etc/asterisk/keys/integration/webserver.key > > # cat /etc/asterisk/keys/ca.cfg > [req] > distinguished_name = req_distinguished_name > prompt = no > default_md = sha256 > [ca] > default_md = sha256 > [req_distinguished_name] > CN=localhost > O=localhost > [ext] > basicConstraints=CA:TRUE > > > Is there a way to find how FreePBX generated the /etc/asterisk/keys tree ? > > Best regards >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20200417/0d6badec/attachment.html>
Sean Bright
2020-Apr-17 19:56 UTC
[asterisk-users] [SOLVED]Re: TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem>
Hi, On 4/17/2020 10:34 AM, Olivier wrote:> All this came from ast_tls_cert script using 1024 bits-long keys where > Debian's defaut was to require at least 2048-long keys ! > Simply passing -b 2048 to ast_tls_cert solved it.Yes, this was addressed by two¹ commits² in the most recent releases because of the report in ASTERISK-28750³.> 1. May I suggest mentioning explicitly this possibility in wiki page ?I've done that. Let us know if it needs more clarifying details.> 2. What would you say of adding an extra input argument to have > certificates built for a specific duration (default is 365 days and > some may expect a different duration) ?I think that would be fine. If you are willing to contribute that change, feel free to open an issue in JIRA⁴ and attach a patch, or submit the patch for review yourself⁵. Kind regards, Sean 1. https://github.com/asterisk/asterisk/commit/de6919f33942911647b1ec0eccfdd942ad776f55 2. https://github.com/asterisk/asterisk/commit/7f2d56fc8c0068bdd172a558f9eebf0e81693c48 3. https://issues.asterisk.org/jira/browse/ASTERISK-28750 4. https://issues.asterisk.org/ 5. https://wiki.asterisk.org/wiki/display/AST/Gerrit+Usage
Apparently Analagous Threads
- TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem> [Almost SOLVED]
- TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem>
- TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem>
- Question on WebRTC configuration
- WSS Socket Configuration