<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small">beating around bushes, and finally seem to stomp on something that worked!</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Simply move the cert file locations from /home/asterisk/certs to /etc/asterisk/keys</div><div class="gmail_default"><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">[root@voip1 asterisk]# ls -l keys</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">total 36</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">-rw-r-----. 1 asterisk asterisk 1212 Jan 29 14:18 asterisk.crt</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">-rw-r-----. 1 asterisk asterisk 578 Jan 29 14:18 asterisk.csr</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">-rw-r-----. 1 asterisk asterisk 891 Jan 29 14:18 asterisk.key</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">-rw-r-----. 1 asterisk asterisk 2103 Jan 29 14:18 asterisk.pem</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">-rw-r-----. 1 asterisk asterisk 1749 Jan 29 14:18 ca.crt</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">-rw-r-----. 1 asterisk asterisk 3311 Jan 29 14:18 ca.key</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">-rw-r-----. 1 asterisk asterisk 1923 Jan 29 14:18 cert.pem</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">-rw-r-----. 1 asterisk asterisk 3570 Jan 29 14:18 fullchain.pem</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">-rw-r-----. 1 asterisk asterisk 1704 Jan 29 14:18 privkey.pem</font></span></p></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">and tls was established. With self-sign cert, I'd need to add ca_list_file in the transport-tls section in /etc/pjsip.conf for it to fly. </div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default"><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">[transport-tls]</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">type = transport</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">protocol = tls</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">bind = <a href="http://0.0.0.0:5061">0.0.0.0:5061</a></font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">; ca_list_file = /etc/asterisk/keys/ca.crt</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">; cert_file = /etc/asterisk/keys/asterisk.crt</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">; priv_key_file = /etc/asterisk/keys/asterisk.key</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">cert_file = /etc/asterisk/keys/fullchain.pem</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">priv_key_file = /etc/asterisk/keys/privkey.pem</font></span></p></div><div class="gmail_default"><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">method = tlsv1_2</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">allow_reload = true</font></span></p></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Not sure what was the nature of the problem. Maybe Selinux? There was no complaint from that department though.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"> Thanks for the help and suggestions,</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">--Ruisheng</div><div class="gmail_default" style="font-size:small"><br></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 29, 2021 at 11:33 AM Ruisheng Peng <<a href="mailto:rpeng@ifa.hawaii.edu">rpeng@ifa.hawaii.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small">Thanks for the detailed explanation Michael.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">I stop the current asterisk process (started by systemd), and restart it as asterisk:</div><div class="gmail_default"><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">[asterisk@voip1 ~]$ strace -f -o /home/asterisk/strace.log asterisk -fmq -vvv -C /etc/asterisk/asterisk.conf</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace"><br></font></span></p></div><div class="gmail_default" style="font-size:small">from the log there was no attempt to even open the cert file. I edited /etc/asterisk/pjsip.conf to add a "method = tlsv1" line to the transport-tls section. Rerun the strace command, and here the part re cert files:</div><div class="gmail_default"><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 stat("/home/asterisk/certs/asterisk.crt", {st_mode=S_IFREG|0640, st_size=1</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">212, ...}) = 0</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 geteuid() = 1002</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 getegid() = 1002</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 getuid() = 1002</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 getgid() = 1002</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 access("/home/asterisk/certs/asterisk.crt", R_OK) = 0</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 stat("/home/asterisk/certs/asterisk.key", {st_mode=S_IFREG|0640, st_size=8</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">91, ...}) = 0</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 geteuid() = 1002</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 getegid() = 1002</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 getuid() = 1002</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 getgid() = 1002</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 access("/home/asterisk/certs/asterisk.key", R_OK) = 0</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 setsockopt(16, SOL_SOCKET, 0xffff /* SO_??? */, [1], 4) = -1 ENOPROTOOPT (</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">Protocol not available)</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 setsockopt(16, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0</font></span></p><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">8189 setsockopt(16, SOL_TCP, TCP_NODELAY, [1], 4) = 0</font></span></p><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div></div><div class="gmail_default" style="font-size:small">The tls transport is not established in the end. Only the two hard phones using udp transport and a softphone using tcp transport are registered.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Thanks,</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">--Ruisheng</div><div class="gmail_default" style="font-size:small"><br></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jan 28, 2021 at 7:42 PM Michael Maier <<a href="mailto:m1278468@mailbox.org" target="_blank">m1278468@mailbox.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><br>
On 27.01.21 at 22:57 Ruisheng Peng wrote:<br>
> Thanks Michael for the suggestion! I've installed strace and assigned one<br>
> of the endpoints (SOFTPHONE_B) to use transport-tls. Then run strace (as<br>
> user asterisk):<br>
> <br>
> [asterisk@voip1 ~]$ strace asterisk -rx "module reload res_pjsip.so"<br>
<br>
You should use strace like this as root and from the very beginning of the start <br>
of asterisk:<br>
<br>
strace -f -o /tmp/strace.log asterisk -vvv -mqf -C /etc/asterisk/asterisk.conf<br>
<br>
-f means, to follow even forked processes, ... (see man page)<br>
-o writes all the output to a file. You can search afterwards pretty easily for <br>
the file (or the open call).<br>
<br>
You shouldn't do this in production but in the test environment!<br>
<br>
You have to run it as long as the error has happened.<br>
<br>
<br>
Thanks<br>
Michael<br>
<br>
-- <br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
<br>
Check out the new Asterisk community forum at: <a href="https://community.asterisk.org/" rel="noreferrer" target="_blank">https://community.asterisk.org/</a><br>
<br>
New to Asterisk? Start here:<br>
<a href="https://wiki.asterisk.org/wiki/display/AST/Getting+Started" rel="noreferrer" target="_blank">https://wiki.asterisk.org/wiki/display/AST/Getting+Started</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" rel="noreferrer" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
<br>
</blockquote></div>
</blockquote></div>