Ruisheng Peng
2020-Dec-14 18:50 UTC
[asterisk-users] Fwd: Asterisk 16.14.0 pjsip transport-tls cert parsing error
Hi, I'm experimenting with Asterisk-16.14.0 on a CentOS7 box, and run into problems loading the SSL certificate to establish transport-tls. Tried self-signed certificate generated with ast_tls_cert under contrib/scripts and the one issued by Letsencrypt, both would bomb out with a parsing error: [Dec 3 15:47:50] ERROR[11233] res_pjsip/config_transport.c: Transport: transport-tls: cert_file /home/asterisk/certs/asterisk.crt is either missing or not readable [Dec 3 15:47:50] ERROR[11233] config_options.c: Error parsing cert_file=/home/asterisk/certs/asterisk.crt at line 24 of What's interesting is that the self-signed asterisk.crt only has 20 lines. For letsencrypt certificate (both cert.pem and fullchain.pem), it'd bomb out at line 22. Here's the transport section of my /etc/asterisk/pjsip.conf: [transport-udp] type = transport protocol = udp bind = 0.0.0.0 [transport-tls] type = transport protocol = tls bind = 0.0.0.0 ;cert_file = /home/asterisk/certs/cert.pem ;cert_file = /home/asterisk/certs/fullchain.pem ;priv_key_file = /home/asterisk/certs/privkey.pem cert_file = /home/asterisk/certs/asterisk.crt priv_key_file = /home/asterisk/certs/asterisk.key allow_reload = true And a full listing of /home/asterisk/certs: -rw-r-----. 1 asterisk asterisk 1212 Dec 2 17:19 asterisk.crt -rw-r-----. 1 asterisk asterisk 578 Dec 2 17:18 asterisk.csr -rw-r-----. 1 asterisk asterisk 891 Dec 2 17:18 asterisk.key -rw-r-----. 1 asterisk asterisk 2103 Dec 2 17:19 asterisk.pem -rw-r-----. 1 asterisk asterisk 1749 Dec 2 17:18 ca.crt -rw-r-----. 1 asterisk asterisk 3311 Dec 2 17:18 ca.key -rw-r-----. 1 asterisk asterisk 1923 Nov 13 16:29 cert.pem -rw-r-----. 1 asterisk asterisk 3570 Nov 13 15:11 fullchain.pem -rw-r-----. 1 asterisk asterisk 1704 Nov 13 15:12 privkey.pem The self-sign asterisk.crt: -----BEGIN CERTIFICATE----- MIIDUzCCATsCAQEwDQYJKoZIhvcNAQELBQAwMTEcMBoGA1UEAwwTQXN0ZXJpc2sg UHJpdmF0ZSBDQTERMA8GA1UECgwIQXN0ZXJpc2swHhcNMjAxMjAzMDMxOTA2WhcN MjExMjAzMDMxOTA2WjAyMR0wGwYDVQQDDBR2b2lwMS5pZmEuaGF3YWlpLmVkdTER MA8GA1UECgwIQXN0ZXJpc2swgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOIn CVUjv8qsDGdv8VJMEtmiMMK2HAdMnkUAv0BgEU6v0lB49xDQfHheb54MBVmyCArB 7CCwcqej3QtGVOUnLO/kGUd0YkFvFfpY+esnxCIeA5JVat15fo5d+gOYGMdfTlGQ gPfYwagCvL94fOIrqEm/LU0vmUi487LSFJOrrcEfAgMBAAEwDQYJKoZIhvcNAQEL BQADggIBANRCkcl1KTN3/Ez2j7VR0ZisGQVVqwfwLJlM4TtT44ukZPNKWc/BhMH4 XtXA71Np+0ePERcQDpj0gPEQyW0PfGAZT/AsClUmphBoGWTnM5NB23BDDwawm9Ym aAddCm94aEe1gMwWJRaPqdWhkub9BS7KWWCkhdLwITryo+I0hSdD9ReXXODRPPyH ybL8CtNRJjCHU8shyvxtrpinZJFHJj3GSWYVB15uUotAUWlpF6H8+Q41UJgJYeGO 11FlpCMrB4uI/V2c1GJP2RUtZIzzofeEGnsZD2egBt/z/oVPJq9aG7BKV5/19jwK CW1fZ7V9FfBOVlXgB81cvwMKAE2SzBspcdefOTGzRJuPPPOeqxGz4lUVU2jeBdvn NQWc//WeuOiAaRd65o5gtP9+3ghkbEUqT//tgt1kD26a2mmFNZr90eVhk59HpH5d U4fIVANO6sINHlwRetdjxRNG43PhKgu+QSrvMba7mxsEINts+UP2pkQOXM1ft2V5 TaIl72dNZr4qni+nTa3GlMweLyIIhaYATl+kLE5kmPK0x32W57FE2j5elbKknOCj s6oMBfBavq+yevFJD2gEmO/KSNYHes+6D6FjGFA9kBPInqg5Bf1rEnaRmGmxp1gZ xPdN2lPLES+Z7aj57j6a+HnFRgRToGGovThd7IxczPxLhc6zL0f8 -----END CERTIFICATE----- and Letsencrypt cert.pem: -----BEGIN CERTIFICATE----- MIIFYDCCBEigAwIBAgISA8qPXDAnBCnnOVm3CI9Z1H3WMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMzEwMTI0MjVaFw0y MTAxMjkwMTI0MjVaMB8xHTAbBgNVBAMTFHZvaXAxLmlmYS5oYXdhaWkuZWR1MIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAplxKSuYMpBWVAEJbDt+GRGSD Q+XVswCQtw+QBOBPUYNEQtuJIdH9th8mdqf5ftCnQAbXeLiZLfI6S3kVtpPYRwHc r9sK1SfUr2roRwIhED+7X0JKgbBcNCghsfzleWTDoRoJr9KF/OyIoMeuQC3fwI14 Tioto0SLMQIbqZFNEKiJeMv2BZmXJK0qPf2Ru/lFWH721vX8iwOc6ocXNw4+0OUB lWbnFLXk9Nw2oW7OtDCQS9zqRALLUG3XvcIsAzcIw/SFoo4lCMdGESsUuILeUBkx 3TUHLtdJgCoahNANZwarXI/KWRNF1U9A8tX6iJwN+AXKJvoMgtBDYJ0noamOHwID AQABo4ICaTCCAmUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQspfZL9VjojblP2hSu GVtZfD5JUDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j cnlwdC5vcmcvMB8GA1UdEQQYMBaCFHZvaXAxLmlmYS5oYXdhaWkuZWR1MEwGA1Ud IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0 dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw AHYAXNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF1fHhh9AAABAMA RzBFAiEAxpI+NiPBW+f+oXRfZTTuHXpTW4tZh1RG2BJ6MBNRM9UCIBtu031bmL21 +aeb/P7nVpBFXUuZHmlThW1Sg46Q/tBmAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkz v98MLyALzE7xZOMAAAF1fHhh8gAABAMARzBFAiEA2Yaf0MEdUJRyYOdr1otw6LWT 3cgyitLcK/5UEgqfjf0CIBcQA9GK9LMqvUWEwDRl4uSISzE7bbjVbsJu563q5UGL MA0GCSqGSIb3DQEBCwUAA4IBAQAMFj4dBp+qJ7mrM4wV9znnDliMQZnIA/2QH1tP dJZskP17uvPY1p6vAw5Z9zELiSBmd3ONYFcoZbXCSzG71AqRGPiQBI7wEyEto7so QYpVDKD1zScASl+ZWorcM9GDizqby3v8jUYAKKwUPKFq6qXxtjDLjfjSymghkJsR Cpf60tu8VXRBtMliryVWMQXk3z2yicYHIHuSPxstsJrGtVhFDq2OedwvVGMSvCgh BniswjtAJ3oB21eB+XB5KMIAQK848E8YML4G8urCLMy9OmnLqnoUgdCju/S7/fkc Q83kLndQhalNI4lediju26o2jiHJzboPtOpV+SKyOewVOB2F -----END CERTIFICATE----- There were a few mentions of this problem on the web, and one said changing the security mode of the certs to 755 fixed his problem. But it didn't work for me. Thanks for any suggestions and help, --Ruisheng -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20201214/cbd8e9a6/attachment.html>