[asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error

Ruisheng Peng rpeng at ifa.hawaii.edu
Fri Jan 29 20:37:05 CST 2021 

beating around bushes, and finally seem to stomp on something that worked!

Simply move the cert file locations from /home/asterisk/certs to
/etc/asterisk/keys

[root at voip1 asterisk]# ls -l keys

total 36

-rw-r-----. 1 asterisk asterisk 1212 Jan 29 14:18 asterisk.crt

-rw-r-----. 1 asterisk asterisk  578 Jan 29 14:18 asterisk.csr

-rw-r-----. 1 asterisk asterisk  891 Jan 29 14:18 asterisk.key

-rw-r-----. 1 asterisk asterisk 2103 Jan 29 14:18 asterisk.pem

-rw-r-----. 1 asterisk asterisk 1749 Jan 29 14:18 ca.crt

-rw-r-----. 1 asterisk asterisk 3311 Jan 29 14:18 ca.key

-rw-r-----. 1 asterisk asterisk 1923 Jan 29 14:18 cert.pem

-rw-r-----. 1 asterisk asterisk 3570 Jan 29 14:18 fullchain.pem

-rw-r-----. 1 asterisk asterisk 1704 Jan 29 14:18 privkey.pem

and tls was established.  With self-sign cert, I'd need to add ca_list_file
in the  transport-tls section in /etc/pjsip.conf for it to fly.

[transport-tls]

type = transport

protocol = tls

bind = 0.0.0.0:5061

; ca_list_file = /etc/asterisk/keys/ca.crt

; cert_file = /etc/asterisk/keys/asterisk.crt

; priv_key_file = /etc/asterisk/keys/asterisk.key

cert_file = /etc/asterisk/keys/fullchain.pem

priv_key_file = /etc/asterisk/keys/privkey.pem

method = tlsv1_2

allow_reload = true

Not sure what was the nature of the problem.  Maybe Selinux?  There was no
complaint from that department though.

  Thanks for the help and suggestions,

--Ruisheng


On Fri, Jan 29, 2021 at 11:33 AM Ruisheng Peng <rpeng at ifa.hawaii.edu> wrote:

> Thanks for the detailed explanation Michael.
>
> I stop the current asterisk process (started by systemd), and restart it
> as asterisk:
>
> [asterisk at voip1 ~]$ strace -f -o /home/asterisk/strace.log asterisk -fmq
> -vvv -C /etc/asterisk/asterisk.conf
>
>
> from the log there was no attempt to even open the cert file.  I edited
> /etc/asterisk/pjsip.conf to add a "method = tlsv1" line to the
> transport-tls section. Rerun the strace command, and here the part re cert
> files:
>
> 8189  stat("/home/asterisk/certs/asterisk.crt", {st_mode=S_IFREG|0640,
> st_size=1
>
> 212, ...}) = 0
>
> 8189  geteuid()                         = 1002
>
> 8189  getegid()                         = 1002
>
> 8189  getuid()                          = 1002
>
> 8189  getgid()                          = 1002
>
> 8189  access("/home/asterisk/certs/asterisk.crt", R_OK) = 0
>
> 8189  stat("/home/asterisk/certs/asterisk.key", {st_mode=S_IFREG|0640,
> st_size=8
>
> 91, ...}) = 0
>
> 8189  geteuid()                         = 1002
>
> 8189  getegid()                         = 1002
>
> 8189  getuid()                          = 1002
>
> 8189  getgid()                          = 1002
>
> 8189  access("/home/asterisk/certs/asterisk.key", R_OK) = 0
>
> 8189  socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16
>
> 8189  setsockopt(16, SOL_SOCKET, 0xffff /* SO_??? */, [1], 4) = -1
> ENOPROTOOPT (
>
> Protocol not available)
>
> 8189  setsockopt(16, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
>
> 8189  setsockopt(16, SOL_TCP, TCP_NODELAY, [1], 4) = 0
>
> The tls transport is not established in the end.  Only the two hard phones
> using udp transport and a softphone using tcp transport are registered.
>
>
> Thanks,
>
> --Ruisheng
>
>
> On Thu, Jan 28, 2021 at 7:42 PM Michael Maier <m1278468 at mailbox.org>
> wrote:
>
>>
>> On 27.01.21 at 22:57 Ruisheng Peng wrote:
>> > Thanks Michael for the suggestion!  I've installed strace and assigned
>> one
>> > of the endpoints (SOFTPHONE_B) to use transport-tls. Then run strace (as
>> > user asterisk):
>> >
>> > [asterisk at voip1 ~]$ strace asterisk -rx "module reload res_pjsip.so"
>>
>> You should use strace like this as root and from the very beginning of
>> the start
>> of asterisk:
>>
>> strace -f -o /tmp/strace.log asterisk -vvv -mqf -C
>> /etc/asterisk/asterisk.conf
>>
>> -f means, to follow even forked processes, ... (see man page)
>> -o writes all the output to a file. You can search afterwards pretty
>> easily for
>> the file (or the open call).
>>
>> You shouldn't do this in production but in the test environment!
>>
>> You have to run it as long as the error has happened.
>>
>>
>> Thanks
>> Michael
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20210129/5ec3de85/attachment.html>

More information about the asterisk-users mailing list