[asterisk-users] [SOLVED]Re: TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem> [Almost SOLVED]

Olivier oza.4h07 at gmail.com
Fri Apr 17 09:34:03 CDT 2020 

Hello,

After countless hours on, this I found the root cause of HTTPS settings on
Debian Buster.

All this came from ast_tls_cert script using 1024 bits-long keys where
Debian's defaut was to require at least 2048-long keys !
Simply passing -b 2048 to ast_tls_cert solved it.

1. May I suggest mentioning explicitly this possibility in wiki page [1] ?

2. What would you say of adding an extra input argument to have
certificates built for a specific duration (default is 365 days and some
may expect a different duration) ?

Cheers

[1]
https://wiki.asterisk.org/wiki/display/AST/Configuring+Asterisk+for+WebRTC+Clients


Le mer. 8 janv. 2020 à 10:04, Olivier <oza.4h07 at gmail.com> a écrit :

> Hello,
>
> Le lun. 6 janv. 2020 à 19:01, Olivier <oza.4h07 at gmail.com> a écrit :
>
>> May I add I could successfully (if pjsip show transports has any meaning)
>> add a PJSIP TLS-transport with:
>>
>> [transport-tls]
>> type=transport
>> protocol=tls
>> bind=0.0.0.0:5061
>> cert_file=/etc/asterisk/keys/asterisk.crt
>> priv_key_file=/etc/asterisk/keys/asterisk.key
>> method=tlsv1
>>
>> Le lun. 6 janv. 2020 à 18:33, Olivier <oza.4h07 at gmail.com> a écrit :
>>
>>> Hello,
>>>
>>> On a newly re-installed Asterisk 16.7.0 on Debian Buster, I can't find a
>>> way to enable HTTPS.
>>> Asterisk is running as asterisk:asterisk:
>>>
>>> asterisk 11097  0.3  6.7 741352 67984 ?        Ssl  17:53   0:06
>>> /usr/sbin/asterisk -g -f -p -U asterisk
>>>
>>> # cat /etc/asterisk/http.conf
>>> [general]
>>> servername=Asterisk
>>> enabled=yes
>>> bindaddr=0.0.0.0
>>> bindport=8088
>>> tlsenable=yes
>>> tlsbindaddr=0.0.0.0:8089
>>> tlscertfile=/etc/asterisk/keys/asterisk.pem
>>> ;tlsprivatekey=keys/asterisk.key
>>>
>>> # ls -lR /etc/asterisk/keys
>>> /etc/asterisk/keys:
>>> total 32
>>> -rw-rw-r-- 1 asterisk asterisk 1229 janv.  6 16:00 asterisk.crt
>>> -rw-rw-r-- 1 asterisk asterisk  586 janv.  6 15:59 asterisk.csr
>>> -rw-rw-r-- 1 asterisk asterisk  887 janv.  6 15:59 asterisk.key
>>> -rw-rw-r-- 1 asterisk asterisk 2116 janv.  6 16:00 asterisk.pem
>>> -rw-rw-r-- 1 asterisk asterisk  158 janv.  6 15:59 ca.cfg
>>> -rw-rw-r-- 1 asterisk asterisk 1773 janv.  6 15:59 ca.crt
>>> -rw-rw-r-- 1 asterisk asterisk 3311 janv.  6 15:59 ca.key
>>> -rw-rw-r-- 1 asterisk asterisk  132 janv.  6 15:59 tmp.cfg
>>>
>>> # grep TLS /var/log/asterisk/full | tail -1
>>> [Jan  6 18:24:45] ERROR[11221] tcptls.c: TLS/SSL error loading cert
>>> file. </etc/asterisk/keys/asterisk.pem>
>>>
>>> # su - asterisk --shell /bin/sh --command 'cat
>>> /etc/asterisk/keys/asterisk.pem'
>>> -----BEGIN RSA PRIVATE KEY-----
>>> MIICXAIBAAKBgQCxllxfOR9sFwyKiKPZErUcBF1zlwTVZ9XvemA/8yQY7aIVw2ce
>>> ...
>>> RE3X5iJqFIRupoIQZQJBAJnDX8dCQbqLvmAV6/Ubiz0XHjHzLEkhMKtF/ksbgou1
>>> zykmu2rlUbnZ+DPFj/lw9WH7DaIxtogZ7qKSp0dd95g=
>>> -----END RSA PRIVATE KEY-----
>>> -----BEGIN CERTIFICATE-----
>>> MIIDXzCCAUcCAQEwDQYJKoZIhvcNAQELBQAwNTEcMBoGA1UEAwwTQXN0ZXJpc2sg
>>> ...
>>> XkVjfneCBgllQhLrnb9oUBuHQCy3qtlPkXpXfAtIsodnoV1mrpI3+iKH7xWc4AtQ
>>> Rbrt
>>> -----END CERTIFICATE-----
>>>
>>>
>>> Any clue ?
>>>
>>> Best regards
>>>
>>
>
> After tens of trying different settings, I tried this morning to simply
> copy certs files from a running FreePBX 15 instance to my Debian Buster
> target. To my surprise, it worked as for the very first time, I now have  :
>
> # asterisk -rx 'http show status'
> HTTP Server Status:
> Prefix:
> Server: Asterisk/16.7.0
> Server Enabled and Bound to [::]:8088
>
> HTTPS Server Enabled and Bound to [::]:8089
>
>
> Now, to fully solve the issue, I need to understand why things didn't work
> previously and now do work correctly.
>
> Current /etc/asterisk/keys is:
> # ls -alR keys
> keys:
> total 56
> drwxr-xr-x 3 asterisk asterisk 4096 janv.  8 09:31 .
> drwxrwxr-x 3 asterisk asterisk 4096 janv.  8 09:35 ..
> -rw------- 1 asterisk asterisk 1675 janv.  8 09:31 api_oauth.key
> -rw------- 1 asterisk asterisk  451 janv.  8 09:31 api_oauth_public.key
> -rw-r--r-- 1 asterisk asterisk  191 janv.  8 09:31 ca.cfg
> -rw-r--r-- 1 asterisk asterisk 1724 janv.  8 09:31 ca.crt
> -rw-r--r-- 1 asterisk asterisk 3243 janv.  8 09:31 ca.key
> -rw------- 1 asterisk asterisk 1712 janv.  8 09:31 default.crt
> -rw------- 1 asterisk asterisk 1610 janv.  8 09:31 default.csr
> -rw------- 1 asterisk asterisk 3247 janv.  8 09:31 default.key
> -rw------- 1 asterisk asterisk 4959 janv.  8 09:31 default.pem
> drwxr-xr-x 2 asterisk asterisk 4096 janv.  8 09:31 integration
> -rw-r--r-- 1 asterisk asterisk 1024 janv.  8 09:31 .rnd
>
> keys/integration:
> total 24
> drwxr-xr-x 2 asterisk asterisk 4096 janv.  8 09:31 .
> drwxr-xr-x 3 asterisk asterisk 4096 janv.  8 09:31 ..
> -rw------- 1 asterisk asterisk 4959 janv.  8 09:31 certificate.pem
> -rw------- 1 asterisk asterisk 1712 janv.  8 09:31 webserver.crt
> -rw------- 1 asterisk asterisk 3247 janv.  8 09:31 webserver.key
>
> Asterisk is running as asterisk:asterisk.
>
> /etc/asterisk/http.conf is:
> # cat http.conf
>
> [general]
> enabled=yes
> enablestatic=no
> bindaddr=::
> bindport=8088
> prefix=
> sessionlimit=100
> session_inactivity=30000
> session_keep_alive=15000
> tlsenable=yes
> tlsbindaddr=[::]:8089
> tlscertfile=/etc/asterisk/keys/integration/certificate.pem
> tlsprivatekey=/etc/asterisk/keys/integration/webserver.key
>
> # cat /etc/asterisk/keys/ca.cfg
> [req]
> distinguished_name = req_distinguished_name
> prompt = no
> default_md = sha256
> [ca]
> default_md = sha256
> [req_distinguished_name]
> CN=localhost
> O=localhost
> [ext]
> basicConstraints=CA:TRUE
>
>
> Is there a way to find how FreePBX generated the /etc/asterisk/keys tree ?
>
> Best regards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20200417/0d6badec/attachment.html>

More information about the asterisk-users mailing list