[asterisk-users] TLS/SSL error loading cert file. </etc/asterisk/keys/asterisk.pem> [Almost SOLVED]

Wed Jan 8 03:04:05 CST 2020

Hello,

Le lun. 6 janv. 2020 à 19:01, Olivier <oza.4h07 at gmail.com> a écrit :

> May I add I could successfully (if pjsip show transports has any meaning)
> add a PJSIP TLS-transport with:
>
> [transport-tls]
> type=transport
> protocol=tls
> bind=0.0.0.0:5061
> cert_file=/etc/asterisk/keys/asterisk.crt
> priv_key_file=/etc/asterisk/keys/asterisk.key
> method=tlsv1
>
> Le lun. 6 janv. 2020 à 18:33, Olivier <oza.4h07 at gmail.com> a écrit :
>
>> Hello,
>>
>> On a newly re-installed Asterisk 16.7.0 on Debian Buster, I can't find a
>> way to enable HTTPS.
>> Asterisk is running as asterisk:asterisk:
>>
>> asterisk 11097  0.3  6.7 741352 67984 ?        Ssl  17:53   0:06
>> /usr/sbin/asterisk -g -f -p -U asterisk
>>
>> # cat /etc/asterisk/http.conf
>> [general]
>> servername=Asterisk
>> enabled=yes
>> bindaddr=0.0.0.0
>> bindport=8088
>> tlsenable=yes
>> tlsbindaddr=0.0.0.0:8089
>> tlscertfile=/etc/asterisk/keys/asterisk.pem
>> ;tlsprivatekey=keys/asterisk.key
>>
>> # ls -lR /etc/asterisk/keys
>> /etc/asterisk/keys:
>> total 32
>> -rw-rw-r-- 1 asterisk asterisk 1229 janv.  6 16:00 asterisk.crt
>> -rw-rw-r-- 1 asterisk asterisk  586 janv.  6 15:59 asterisk.csr
>> -rw-rw-r-- 1 asterisk asterisk  887 janv.  6 15:59 asterisk.key
>> -rw-rw-r-- 1 asterisk asterisk 2116 janv.  6 16:00 asterisk.pem
>> -rw-rw-r-- 1 asterisk asterisk  158 janv.  6 15:59 ca.cfg
>> -rw-rw-r-- 1 asterisk asterisk 1773 janv.  6 15:59 ca.crt
>> -rw-rw-r-- 1 asterisk asterisk 3311 janv.  6 15:59 ca.key
>> -rw-rw-r-- 1 asterisk asterisk  132 janv.  6 15:59 tmp.cfg
>>
>> # grep TLS /var/log/asterisk/full | tail -1
>> [Jan  6 18:24:45] ERROR[11221] tcptls.c: TLS/SSL error loading cert file.
>> </etc/asterisk/keys/asterisk.pem>
>>
>> # su - asterisk --shell /bin/sh --command 'cat
>> /etc/asterisk/keys/asterisk.pem'
>> -----BEGIN RSA PRIVATE KEY-----
>> MIICXAIBAAKBgQCxllxfOR9sFwyKiKPZErUcBF1zlwTVZ9XvemA/8yQY7aIVw2ce
>> ...
>> RE3X5iJqFIRupoIQZQJBAJnDX8dCQbqLvmAV6/Ubiz0XHjHzLEkhMKtF/ksbgou1
>> zykmu2rlUbnZ+DPFj/lw9WH7DaIxtogZ7qKSp0dd95g=
>> -----END RSA PRIVATE KEY-----
>> -----BEGIN CERTIFICATE-----
>> MIIDXzCCAUcCAQEwDQYJKoZIhvcNAQELBQAwNTEcMBoGA1UEAwwTQXN0ZXJpc2sg
>> ...
>> XkVjfneCBgllQhLrnb9oUBuHQCy3qtlPkXpXfAtIsodnoV1mrpI3+iKH7xWc4AtQ
>> Rbrt
>> -----END CERTIFICATE-----
>>
>>
>> Any clue ?
>>
>> Best regards
>>
>

After tens of trying different settings, I tried this morning to simply
copy certs files from a running FreePBX 15 instance to my Debian Buster
target. To my surprise, it worked as for the very first time, I now have  :

# asterisk -rx 'http show status'
HTTP Server Status:
Prefix:
Server: Asterisk/16.7.0
Server Enabled and Bound to [::]:8088

HTTPS Server Enabled and Bound to [::]:8089

Now, to fully solve the issue, I need to understand why things didn't work
previously and now do work correctly.

Current /etc/asterisk/keys is:
# ls -alR keys
keys:
total 56
drwxr-xr-x 3 asterisk asterisk 4096 janv.  8 09:31 .
drwxrwxr-x 3 asterisk asterisk 4096 janv.  8 09:35 ..
-rw------- 1 asterisk asterisk 1675 janv.  8 09:31 api_oauth.key
-rw------- 1 asterisk asterisk  451 janv.  8 09:31 api_oauth_public.key
-rw-r--r-- 1 asterisk asterisk  191 janv.  8 09:31 ca.cfg
-rw-r--r-- 1 asterisk asterisk 1724 janv.  8 09:31 ca.crt
-rw-r--r-- 1 asterisk asterisk 3243 janv.  8 09:31 ca.key
-rw------- 1 asterisk asterisk 1712 janv.  8 09:31 default.crt
-rw------- 1 asterisk asterisk 1610 janv.  8 09:31 default.csr
-rw------- 1 asterisk asterisk 3247 janv.  8 09:31 default.key
-rw------- 1 asterisk asterisk 4959 janv.  8 09:31 default.pem
drwxr-xr-x 2 asterisk asterisk 4096 janv.  8 09:31 integration
-rw-r--r-- 1 asterisk asterisk 1024 janv.  8 09:31 .rnd

keys/integration:
total 24
drwxr-xr-x 2 asterisk asterisk 4096 janv.  8 09:31 .
drwxr-xr-x 3 asterisk asterisk 4096 janv.  8 09:31 ..
-rw------- 1 asterisk asterisk 4959 janv.  8 09:31 certificate.pem
-rw------- 1 asterisk asterisk 1712 janv.  8 09:31 webserver.crt
-rw------- 1 asterisk asterisk 3247 janv.  8 09:31 webserver.key

Asterisk is running as asterisk:asterisk.

/etc/asterisk/http.conf is:
# cat http.conf

[general]
enabled=yes
enablestatic=no
bindaddr=::
bindport=8088
prefix=
sessionlimit=100
session_inactivity=30000
session_keep_alive=15000
tlsenable=yes
tlsbindaddr=[::]:8089
tlscertfile=/etc/asterisk/keys/integration/certificate.pem
tlsprivatekey=/etc/asterisk/keys/integration/webserver.key

# cat /etc/asterisk/keys/ca.cfg
[req]
distinguished_name = req_distinguished_name
prompt = no
default_md = sha256
[ca]
default_md = sha256
[req_distinguished_name]
CN=localhost
O=localhost
[ext]
basicConstraints=CA:TRUE

Is there a way to find how FreePBX generated the /etc/asterisk/keys tree ?

Best regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20200108/65c854ea/attachment.html>