Ruisheng Peng
2021-Jan-29 21:33 UTC
[asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
Thanks for the detailed explanation Michael. I stop the current asterisk process (started by systemd), and restart it as asterisk: [asterisk at voip1 ~]$ strace -f -o /home/asterisk/strace.log asterisk -fmq -vvv -C /etc/asterisk/asterisk.conf from the log there was no attempt to even open the cert file. I edited /etc/asterisk/pjsip.conf to add a "method = tlsv1" line to the transport-tls section. Rerun the strace command, and here the part re cert files: 8189 stat("/home/asterisk/certs/asterisk.crt", {st_mode=S_IFREG|0640, st_size=1 212, ...}) = 0 8189 geteuid() = 1002 8189 getegid() = 1002 8189 getuid() = 1002 8189 getgid() = 1002 8189 access("/home/asterisk/certs/asterisk.crt", R_OK) = 0 8189 stat("/home/asterisk/certs/asterisk.key", {st_mode=S_IFREG|0640, st_size=8 91, ...}) = 0 8189 geteuid() = 1002 8189 getegid() = 1002 8189 getuid() = 1002 8189 getgid() = 1002 8189 access("/home/asterisk/certs/asterisk.key", R_OK) = 0 8189 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16 8189 setsockopt(16, SOL_SOCKET, 0xffff /* SO_??? */, [1], 4) = -1 ENOPROTOOPT ( Protocol not available) 8189 setsockopt(16, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 8189 setsockopt(16, SOL_TCP, TCP_NODELAY, [1], 4) = 0 The tls transport is not established in the end. Only the two hard phones using udp transport and a softphone using tcp transport are registered. Thanks, --Ruisheng On Thu, Jan 28, 2021 at 7:42 PM Michael Maier <m1278468 at mailbox.org> wrote:> > On 27.01.21 at 22:57 Ruisheng Peng wrote: > > Thanks Michael for the suggestion! I've installed strace and assigned > one > > of the endpoints (SOFTPHONE_B) to use transport-tls. Then run strace (as > > user asterisk): > > > > [asterisk at voip1 ~]$ strace asterisk -rx "module reload res_pjsip.so" > > You should use strace like this as root and from the very beginning of the > start > of asterisk: > > strace -f -o /tmp/strace.log asterisk -vvv -mqf -C > /etc/asterisk/asterisk.conf > > -f means, to follow even forked processes, ... (see man page) > -o writes all the output to a file. You can search afterwards pretty > easily for > the file (or the open call). > > You shouldn't do this in production but in the test environment! > > You have to run it as long as the error has happened. > > > Thanks > Michael > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20210129/9087b9d9/attachment.html>
Ruisheng Peng
2021-Jan-30 02:37 UTC
[asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
beating around bushes, and finally seem to stomp on something that worked! Simply move the cert file locations from /home/asterisk/certs to /etc/asterisk/keys [root at voip1 asterisk]# ls -l keys total 36 -rw-r-----. 1 asterisk asterisk 1212 Jan 29 14:18 asterisk.crt -rw-r-----. 1 asterisk asterisk 578 Jan 29 14:18 asterisk.csr -rw-r-----. 1 asterisk asterisk 891 Jan 29 14:18 asterisk.key -rw-r-----. 1 asterisk asterisk 2103 Jan 29 14:18 asterisk.pem -rw-r-----. 1 asterisk asterisk 1749 Jan 29 14:18 ca.crt -rw-r-----. 1 asterisk asterisk 3311 Jan 29 14:18 ca.key -rw-r-----. 1 asterisk asterisk 1923 Jan 29 14:18 cert.pem -rw-r-----. 1 asterisk asterisk 3570 Jan 29 14:18 fullchain.pem -rw-r-----. 1 asterisk asterisk 1704 Jan 29 14:18 privkey.pem and tls was established. With self-sign cert, I'd need to add ca_list_file in the transport-tls section in /etc/pjsip.conf for it to fly. [transport-tls] type = transport protocol = tls bind = 0.0.0.0:5061 ; ca_list_file = /etc/asterisk/keys/ca.crt ; cert_file = /etc/asterisk/keys/asterisk.crt ; priv_key_file = /etc/asterisk/keys/asterisk.key cert_file = /etc/asterisk/keys/fullchain.pem priv_key_file = /etc/asterisk/keys/privkey.pem method = tlsv1_2 allow_reload = true Not sure what was the nature of the problem. Maybe Selinux? There was no complaint from that department though. Thanks for the help and suggestions, --Ruisheng On Fri, Jan 29, 2021 at 11:33 AM Ruisheng Peng <rpeng at ifa.hawaii.edu> wrote:> Thanks for the detailed explanation Michael. > > I stop the current asterisk process (started by systemd), and restart it > as asterisk: > > [asterisk at voip1 ~]$ strace -f -o /home/asterisk/strace.log asterisk -fmq > -vvv -C /etc/asterisk/asterisk.conf > > > from the log there was no attempt to even open the cert file. I edited > /etc/asterisk/pjsip.conf to add a "method = tlsv1" line to the > transport-tls section. Rerun the strace command, and here the part re cert > files: > > 8189 stat("/home/asterisk/certs/asterisk.crt", {st_mode=S_IFREG|0640, > st_size=1 > > 212, ...}) = 0 > > 8189 geteuid() = 1002 > > 8189 getegid() = 1002 > > 8189 getuid() = 1002 > > 8189 getgid() = 1002 > > 8189 access("/home/asterisk/certs/asterisk.crt", R_OK) = 0 > > 8189 stat("/home/asterisk/certs/asterisk.key", {st_mode=S_IFREG|0640, > st_size=8 > > 91, ...}) = 0 > > 8189 geteuid() = 1002 > > 8189 getegid() = 1002 > > 8189 getuid() = 1002 > > 8189 getgid() = 1002 > > 8189 access("/home/asterisk/certs/asterisk.key", R_OK) = 0 > > 8189 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16 > > 8189 setsockopt(16, SOL_SOCKET, 0xffff /* SO_??? */, [1], 4) = -1 > ENOPROTOOPT ( > > Protocol not available) > > 8189 setsockopt(16, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 > > 8189 setsockopt(16, SOL_TCP, TCP_NODELAY, [1], 4) = 0 > > The tls transport is not established in the end. Only the two hard phones > using udp transport and a softphone using tcp transport are registered. > > > Thanks, > > --Ruisheng > > > On Thu, Jan 28, 2021 at 7:42 PM Michael Maier <m1278468 at mailbox.org> > wrote: > >> >> On 27.01.21 at 22:57 Ruisheng Peng wrote: >> > Thanks Michael for the suggestion! I've installed strace and assigned >> one >> > of the endpoints (SOFTPHONE_B) to use transport-tls. Then run strace (as >> > user asterisk): >> > >> > [asterisk at voip1 ~]$ strace asterisk -rx "module reload res_pjsip.so" >> >> You should use strace like this as root and from the very beginning of >> the start >> of asterisk: >> >> strace -f -o /tmp/strace.log asterisk -vvv -mqf -C >> /etc/asterisk/asterisk.conf >> >> -f means, to follow even forked processes, ... (see man page) >> -o writes all the output to a file. You can search afterwards pretty >> easily for >> the file (or the open call). >> >> You shouldn't do this in production but in the test environment! >> >> You have to run it as long as the error has happened. >> >> >> Thanks >> Michael >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> >>-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20210129/5ec3de85/attachment.html>
Michael Maier
2021-Jan-30 07:41 UTC
[asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
On 29.01.21 at 22:33 Ruisheng Peng wrote:> Thanks for the detailed explanation Michael. > > I stop the current asterisk process (started by systemd), and restart it as > asterisk: > > [asterisk at voip1 ~]$ strace -f -o /home/asterisk/strace.log asterisk -fmq > -vvv -C /etc/asterisk/asterisk.conf > > > from the log there was no attempt to even open the cert file. I edited > /etc/asterisk/pjsip.conf to add a "method = tlsv1" line to the > transport-tls section. Rerun the strace command, and here the part re cert > files: > > 8189 stat("/home/asterisk/certs/asterisk.crt", {st_mode=S_IFREG|0640, > st_size=1 > > 212, ...}) = 0 > > 8189 geteuid() = 1002 > > 8189 getegid() = 1002 > > 8189 getuid() = 1002 > > 8189 getgid() = 1002 > > 8189 access("/home/asterisk/certs/asterisk.crt", R_OK) = 0 > > 8189 stat("/home/asterisk/certs/asterisk.key", {st_mode=S_IFREG|0640, > st_size=8 > > 91, ...}) = 0 > > 8189 geteuid() = 1002 > > 8189 getegid() = 1002 > > 8189 getuid() = 1002 > > 8189 getgid() = 1002 > > 8189 access("/home/asterisk/certs/asterisk.key", R_OK) = 0 > > 8189 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16 > > 8189 setsockopt(16, SOL_SOCKET, 0xffff /* SO_??? */, [1], 4) = -1 > ENOPROTOOPT (I'm missing the "open" (or "openat") and the following "read" call - weren't there any or didn't you post them? These are the important calls! They will show, if the file is used at all or not (and possibly the reason, why it is not used - EACCESS e.g.). Thanks Michael
Ruisheng Peng
2021-Feb-01 20:36 UTC
[asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
Michael, There weren't any open or openat actions on the cert files (located under /home/asterisk/certs). The same is true for cert files located under /etc/asterisk/keys: 24138 stat("/etc/asterisk/keys/fullchain.pem", {st_mode=S_IFREG|0640, st_size=34 44, ...}) = 0 24138 geteuid() = 1002 24138 getegid() = 1002 24138 getuid() = 1002 24138 getgid() = 1002 24138 access("/etc/asterisk/keys/fullchain.pem", R_OK) = 0 24138 stat("/etc/asterisk/keys/privkey.pem", {st_mode=S_IFREG|0640, st_size=1704 , ...}) = 0 24138 geteuid() = 1002 24138 getegid() = 1002 24138 getuid() = 1002 24138 getgid() = 1002 24138 access("/etc/asterisk/keys/privkey.pem", R_OK) = 0 24138 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16 24138 setsockopt(16, SOL_SOCKET, 0xffff /* SO_??? */, [1], 4) = -1 ENOPROTOOPT ( Protocol not available) 24138 setsockopt(16, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 24138 setsockopt(16, SOL_TCP, TCP_NODELAY, [1], 4) = 0 24138 bind(16, {sa_family=AF_INET, sin_port=htons(5061), sin_addr=inet_addr("0.0 .0.0")}, 16) = 0 24138 listen(16, 5) = 0 24138 ioctl(16, FIONBIO, [1]) = 0 24138 getsockopt(16, SOL_SOCKET, SO_TYPE, [1], [4]) = 0 24138 epoll_ctl(11, EPOLL_CTL_ADD, 16, {EPOLLIN|EPOLLERR, {u32=23894976, u64=238 94976}}) = 0 24138 accept(16, 0x1a765c0, [28]) = -1 EAGAIN (Resource temporarily unavai lable) 24138 getsockname(16, {sa_family=AF_INET, sin_port=htons(5061), sin_addr=inet_ad dr("0.0.0.0")}, [16]) = 0 In the latter case transport-tls was successfully established. On Fri, Jan 29, 2021 at 9:42 PM Michael Maier <m1278468 at mailbox.org> wrote:> > On 29.01.21 at 22:33 Ruisheng Peng wrote: > > Thanks for the detailed explanation Michael. > > > > I stop the current asterisk process (started by systemd), and restart it > as > > asterisk: > > > > [asterisk at voip1 ~]$ strace -f -o /home/asterisk/strace.log asterisk -fmq > > -vvv -C /etc/asterisk/asterisk.conf > > > > > > from the log there was no attempt to even open the cert file. I edited > > /etc/asterisk/pjsip.conf to add a "method = tlsv1" line to the > > transport-tls section. Rerun the strace command, and here the part re > cert > > files: > > > > 8189 stat("/home/asterisk/certs/asterisk.crt", {st_mode=S_IFREG|0640, > > st_size=1 > > > > 212, ...}) = 0 > > > > 8189 geteuid() = 1002 > > > > 8189 getegid() = 1002 > > > > 8189 getuid() = 1002 > > > > 8189 getgid() = 1002 > > > > 8189 access("/home/asterisk/certs/asterisk.crt", R_OK) = 0 > > > > 8189 stat("/home/asterisk/certs/asterisk.key", {st_mode=S_IFREG|0640, > > st_size=8 > > > > 91, ...}) = 0 > > > > 8189 geteuid() = 1002 > > > > 8189 getegid() = 1002 > > > > 8189 getuid() = 1002 > > > > 8189 getgid() = 1002 > > > > 8189 access("/home/asterisk/certs/asterisk.key", R_OK) = 0 > > > > 8189 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16 > > > > 8189 setsockopt(16, SOL_SOCKET, 0xffff /* SO_??? */, [1], 4) = -1 > > ENOPROTOOPT ( > > I'm missing the "open" (or "openat") and the following "read" call - > weren't there > any or didn't you post them? These are the important calls! They will > show, if the > file is used at all or not (and possibly the reason, why it is not used - > EACCESS > e.g.). > > > Thanks > Michael > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20210201/8185b4e0/attachment.html>