Ruisheng Peng
2021-Jan-26 20:12 UTC
[asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
Hi, I'm experimenting with Asterisk-16.14.0 on a CentOS7 box, and run into problems loading the SSL certificate to establish transport-tls. Tried self-signed certificate generated with ast_tls_cert under contrib/scripts and the one issued by Letsencrypt, both would bomb out with a parsing error: [Dec 3 15:47:50] ERROR[11233] res_pjsip/config_transport.c: Transport: transport-tls: cert_file /home/asterisk/certs/asterisk.crt is either missing or not readable [Dec 3 15:47:50] ERROR[11233] config_options.c: Error parsing cert_file=/home/asterisk/certs/asterisk.crt at line 24 of What's interesting is that the self-signed asterisk.crt only has 20 lines. For letsencrypt certificate (both cert.pem and fullchain.pem), it'd bomb out at line 22. Here's the transport section of my /etc/asterisk/pjsip.conf: [transport-udp] type = transport protocol = udp bind = 0.0.0.0 [transport-tls] type = transport protocol = tls bind = 0.0.0.0 ;cert_file = /home/asterisk/certs/cert.pem ;cert_file = /home/asterisk/certs/fullchain.pem ;priv_key_file = /home/asterisk/certs/privkey.pem cert_file = /home/asterisk/certs/asterisk.crt priv_key_file = /home/asterisk/certs/asterisk.key allow_reload = true And a full listing of /home/asterisk/certs: -rw-r-----. 1 asterisk asterisk 1212 Dec 2 17:19 asterisk.crt -rw-r-----. 1 asterisk asterisk 578 Dec 2 17:18 asterisk.csr -rw-r-----. 1 asterisk asterisk 891 Dec 2 17:18 asterisk.key -rw-r-----. 1 asterisk asterisk 2103 Dec 2 17:19 asterisk.pem -rw-r-----. 1 asterisk asterisk 1749 Dec 2 17:18 ca.crt -rw-r-----. 1 asterisk asterisk 3311 Dec 2 17:18 ca.key -rw-r-----. 1 asterisk asterisk 1923 Nov 13 16:29 cert.pem -rw-r-----. 1 asterisk asterisk 3570 Nov 13 15:11 fullchain.pem -rw-r-----. 1 asterisk asterisk 1704 Nov 13 15:12 privkey.pem The self-sign asterisk.crt: -----BEGIN CERTIFICATE----- MIIDUzCCATsCAQEwDQYJKoZIhvcNAQELBQAwMTEcMBoGA1UEAwwTQXN0ZXJpc2sg UHJpdmF0ZSBDQTERMA8GA1UECgwIQXN0ZXJpc2swHhcNMjAxMjAzMDMxOTA2WhcN MjExMjAzMDMxOTA2WjAyMR0wGwYDVQQDDBR2b2lwMS5pZmEuaGF3YWlpLmVkdTER MA8GA1UECgwIQXN0ZXJpc2swgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOIn CVUjv8qsDGdv8VJMEtmiMMK2HAdMnkUAv0BgEU6v0lB49xDQfHheb54MBVmyCArB 7CCwcqej3QtGVOUnLO/kGUd0YkFvFfpY+esnxCIeA5JVat15fo5d+gOYGMdfTlGQ gPfYwagCvL94fOIrqEm/LU0vmUi487LSFJOrrcEfAgMBAAEwDQYJKoZIhvcNAQEL BQADggIBANRCkcl1KTN3/Ez2j7VR0ZisGQVVqwfwLJlM4TtT44ukZPNKWc/BhMH4 XtXA71Np+0ePERcQDpj0gPEQyW0PfGAZT/AsClUmphBoGWTnM5NB23BDDwawm9Ym aAddCm94aEe1gMwWJRaPqdWhkub9BS7KWWCkhdLwITryo+I0hSdD9ReXXODRPPyH ybL8CtNRJjCHU8shyvxtrpinZJFHJj3GSWYVB15uUotAUWlpF6H8+Q41UJgJYeGO 11FlpCMrB4uI/V2c1GJP2RUtZIzzofeEGnsZD2egBt/z/oVPJq9aG7BKV5/19jwK CW1fZ7V9FfBOVlXgB81cvwMKAE2SzBspcdefOTGzRJuPPPOeqxGz4lUVU2jeBdvn NQWc//WeuOiAaRd65o5gtP9+3ghkbEUqT//tgt1kD26a2mmFNZr90eVhk59HpH5d U4fIVANO6sINHlwRetdjxRNG43PhKgu+QSrvMba7mxsEINts+UP2pkQOXM1ft2V5 TaIl72dNZr4qni+nTa3GlMweLyIIhaYATl+kLE5kmPK0x32W57FE2j5elbKknOCj s6oMBfBavq+yevFJD2gEmO/KSNYHes+6D6FjGFA9kBPInqg5Bf1rEnaRmGmxp1gZ xPdN2lPLES+Z7aj57j6a+HnFRgRToGGovThd7IxczPxLhc6zL0f8 -----END CERTIFICATE----- and Letsencrypt cert.pem: -----BEGIN CERTIFICATE----- MIIFYDCCBEigAwIBAgISA8qPXDAnBCnnOVm3CI9Z1H3WMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMzEwMTI0MjVaFw0y MTAxMjkwMTI0MjVaMB8xHTAbBgNVBAMTFHZvaXAxLmlmYS5oYXdhaWkuZWR1MIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAplxKSuYMpBWVAEJbDt+GRGSD Q+XVswCQtw+QBOBPUYNEQtuJIdH9th8mdqf5ftCnQAbXeLiZLfI6S3kVtpPYRwHc r9sK1SfUr2roRwIhED+7X0JKgbBcNCghsfzleWTDoRoJr9KF/OyIoMeuQC3fwI14 Tioto0SLMQIbqZFNEKiJeMv2BZmXJK0qPf2Ru/lFWH721vX8iwOc6ocXNw4+0OUB lWbnFLXk9Nw2oW7OtDCQS9zqRALLUG3XvcIsAzcIw/SFoo4lCMdGESsUuILeUBkx 3TUHLtdJgCoahNANZwarXI/KWRNF1U9A8tX6iJwN+AXKJvoMgtBDYJ0noamOHwID AQABo4ICaTCCAmUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQspfZL9VjojblP2hSu GVtZfD5JUDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j cnlwdC5vcmcvMB8GA1UdEQQYMBaCFHZvaXAxLmlmYS5oYXdhaWkuZWR1MEwGA1Ud IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0 dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw AHYAXNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF1fHhh9AAABAMA RzBFAiEAxpI+NiPBW+f+oXRfZTTuHXpTW4tZh1RG2BJ6MBNRM9UCIBtu031bmL21 +aeb/P7nVpBFXUuZHmlThW1Sg46Q/tBmAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkz v98MLyALzE7xZOMAAAF1fHhh8gAABAMARzBFAiEA2Yaf0MEdUJRyYOdr1otw6LWT 3cgyitLcK/5UEgqfjf0CIBcQA9GK9LMqvUWEwDRl4uSISzE7bbjVbsJu563q5UGL MA0GCSqGSIb3DQEBCwUAA4IBAQAMFj4dBp+qJ7mrM4wV9znnDliMQZnIA/2QH1tP dJZskP17uvPY1p6vAw5Z9zELiSBmd3ONYFcoZbXCSzG71AqRGPiQBI7wEyEto7so QYpVDKD1zScASl+ZWorcM9GDizqby3v8jUYAKKwUPKFq6qXxtjDLjfjSymghkJsR Cpf60tu8VXRBtMliryVWMQXk3z2yicYHIHuSPxstsJrGtVhFDq2OedwvVGMSvCgh BniswjtAJ3oB21eB+XB5KMIAQK848E8YML4G8urCLMy9OmnLqnoUgdCju/S7/fkc Q83kLndQhalNI4lediju26o2jiHJzboPtOpV+SKyOewVOB2F -----END CERTIFICATE----- There were a few mentions of this problem on the web, and one said changing the security mode of the certs to 755 fixed his problem. But it didn't work for me. Thanks for any suggestions and help, --Ruisheng -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20210126/39283615/attachment.html>
Michael Maier
2021-Jan-27 08:15 UTC
[asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
On 26.01.21 at 21:12 Ruisheng Peng wrote:> Hi, > > I'm experimenting with Asterisk-16.14.0 on a CentOS7 box, and run into > problems loading the SSL certificate to establish transport-tls. Tried > self-signed certificate generated with ast_tls_cert under contrib/scripts > and the one issued by Letsencrypt, both would bomb out with a parsing error: > > [Dec 3 15:47:50] ERROR[11233] res_pjsip/config_transport.c: Transport: > transport-tls: cert_file /home/asterisk/certs/asterisk.crt is either > missing or not readableIt's missing or not readable! Take care, that the file access rights of the file and the complete path are ok. Do a strace to verify, if the file is really loaded at all. Michael
Stefan Tichy
2021-Jan-29 15:53 UTC
[asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
On Tue, Jan 26, 2021 at 10:12:22AM -1000, Ruisheng Peng wrote:> The self-sign asterisk.crt:I saved that file in "x.crt". openssl x509 -in x.crt -noout -text .... RSA Public-Key: (1024 bit) ....> and Letsencrypt cert.pem:I saved that file in "y.crt". openssl x509 -in y.crt -noout -enddate notAfter=Jan 29 01:24:25 2021 GMT> There were a few mentions of this problem on the web, and one said changing > the security mode of the certs to 755 fixed his problem.That makes no sense. Which version of openssl ist used on that CentOS7 box ? In "/etc/ssl/openssl.cnf" you find something like this: MinProtocol = TLSv1.2 CipherString = DEFAULT at SECLEVEL=2 You could set the level to "1" or even to "0" and restart Asterisk. -- Stefan Tichy
Sean Bright
2021-Feb-01 18:08 UTC
[asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
Hi, On 1/26/2021 3:12 PM, Ruisheng Peng wrote:> Transport: transport-tls: cert_file > /home/asterisk/certs/asterisk.crt is either missing or not readableThis error means that the file either does not exist or that Asterisk is not able to open it for reading. In your case it looks like the file exists so the Asterisk process was not able to read the file (this could be permissions or SELinux or whatever other reason). It never gets to actually trying to parse it as a certificate. The subsequent message mentioning "at line 24 of" is just a bug in the configuration framework, it is not referring to line 24 of the certificate file. Kind regards, Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20210201/81b45f81/attachment.html>