[asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
Ruisheng Peng
rpeng at ifa.hawaii.edu
Tue Jan 26 14:12:22 CST 2021
Hi,
I'm experimenting with Asterisk-16.14.0 on a CentOS7 box, and run into
problems loading the SSL certificate to establish transport-tls. Tried
self-signed certificate generated with ast_tls_cert under contrib/scripts
and the one issued by Letsencrypt, both would bomb out with a parsing error:
[Dec 3 15:47:50] ERROR[11233] res_pjsip/config_transport.c: Transport:
transport-tls: cert_file /home/asterisk/certs/asterisk.crt is either
missing or not readable
[Dec 3 15:47:50] ERROR[11233] config_options.c: Error parsing
cert_file=/home/asterisk/certs/asterisk.crt at line 24 of
What's interesting is that the self-signed asterisk.crt only has 20 lines.
For letsencrypt certificate (both cert.pem and fullchain.pem), it'd bomb
out at line 22.
Here's the transport section of my /etc/asterisk/pjsip.conf:
[transport-udp]
type = transport
protocol = udp
bind = 0.0.0.0
[transport-tls]
type = transport
protocol = tls
bind = 0.0.0.0
;cert_file = /home/asterisk/certs/cert.pem
;cert_file = /home/asterisk/certs/fullchain.pem
;priv_key_file = /home/asterisk/certs/privkey.pem
cert_file = /home/asterisk/certs/asterisk.crt
priv_key_file = /home/asterisk/certs/asterisk.key
allow_reload = true
And a full listing of /home/asterisk/certs:
-rw-r-----. 1 asterisk asterisk 1212 Dec 2 17:19 asterisk.crt
-rw-r-----. 1 asterisk asterisk 578 Dec 2 17:18 asterisk.csr
-rw-r-----. 1 asterisk asterisk 891 Dec 2 17:18 asterisk.key
-rw-r-----. 1 asterisk asterisk 2103 Dec 2 17:19 asterisk.pem
-rw-r-----. 1 asterisk asterisk 1749 Dec 2 17:18 ca.crt
-rw-r-----. 1 asterisk asterisk 3311 Dec 2 17:18 ca.key
-rw-r-----. 1 asterisk asterisk 1923 Nov 13 16:29 cert.pem
-rw-r-----. 1 asterisk asterisk 3570 Nov 13 15:11 fullchain.pem
-rw-r-----. 1 asterisk asterisk 1704 Nov 13 15:12 privkey.pem
The self-sign asterisk.crt:
-----BEGIN CERTIFICATE-----
MIIDUzCCATsCAQEwDQYJKoZIhvcNAQELBQAwMTEcMBoGA1UEAwwTQXN0ZXJpc2sg
UHJpdmF0ZSBDQTERMA8GA1UECgwIQXN0ZXJpc2swHhcNMjAxMjAzMDMxOTA2WhcN
MjExMjAzMDMxOTA2WjAyMR0wGwYDVQQDDBR2b2lwMS5pZmEuaGF3YWlpLmVkdTER
MA8GA1UECgwIQXN0ZXJpc2swgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOIn
CVUjv8qsDGdv8VJMEtmiMMK2HAdMnkUAv0BgEU6v0lB49xDQfHheb54MBVmyCArB
7CCwcqej3QtGVOUnLO/kGUd0YkFvFfpY+esnxCIeA5JVat15fo5d+gOYGMdfTlGQ
gPfYwagCvL94fOIrqEm/LU0vmUi487LSFJOrrcEfAgMBAAEwDQYJKoZIhvcNAQEL
BQADggIBANRCkcl1KTN3/Ez2j7VR0ZisGQVVqwfwLJlM4TtT44ukZPNKWc/BhMH4
XtXA71Np+0ePERcQDpj0gPEQyW0PfGAZT/AsClUmphBoGWTnM5NB23BDDwawm9Ym
aAddCm94aEe1gMwWJRaPqdWhkub9BS7KWWCkhdLwITryo+I0hSdD9ReXXODRPPyH
ybL8CtNRJjCHU8shyvxtrpinZJFHJj3GSWYVB15uUotAUWlpF6H8+Q41UJgJYeGO
11FlpCMrB4uI/V2c1GJP2RUtZIzzofeEGnsZD2egBt/z/oVPJq9aG7BKV5/19jwK
CW1fZ7V9FfBOVlXgB81cvwMKAE2SzBspcdefOTGzRJuPPPOeqxGz4lUVU2jeBdvn
NQWc//WeuOiAaRd65o5gtP9+3ghkbEUqT//tgt1kD26a2mmFNZr90eVhk59HpH5d
U4fIVANO6sINHlwRetdjxRNG43PhKgu+QSrvMba7mxsEINts+UP2pkQOXM1ft2V5
TaIl72dNZr4qni+nTa3GlMweLyIIhaYATl+kLE5kmPK0x32W57FE2j5elbKknOCj
s6oMBfBavq+yevFJD2gEmO/KSNYHes+6D6FjGFA9kBPInqg5Bf1rEnaRmGmxp1gZ
xPdN2lPLES+Z7aj57j6a+HnFRgRToGGovThd7IxczPxLhc6zL0f8
-----END CERTIFICATE-----
and Letsencrypt cert.pem:
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgISA8qPXDAnBCnnOVm3CI9Z1H3WMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMzEwMTI0MjVaFw0y
MTAxMjkwMTI0MjVaMB8xHTAbBgNVBAMTFHZvaXAxLmlmYS5oYXdhaWkuZWR1MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAplxKSuYMpBWVAEJbDt+GRGSD
Q+XVswCQtw+QBOBPUYNEQtuJIdH9th8mdqf5ftCnQAbXeLiZLfI6S3kVtpPYRwHc
r9sK1SfUr2roRwIhED+7X0JKgbBcNCghsfzleWTDoRoJr9KF/OyIoMeuQC3fwI14
Tioto0SLMQIbqZFNEKiJeMv2BZmXJK0qPf2Ru/lFWH721vX8iwOc6ocXNw4+0OUB
lWbnFLXk9Nw2oW7OtDCQS9zqRALLUG3XvcIsAzcIw/SFoo4lCMdGESsUuILeUBkx
3TUHLtdJgCoahNANZwarXI/KWRNF1U9A8tX6iJwN+AXKJvoMgtBDYJ0noamOHwID
AQABo4ICaTCCAmUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQspfZL9VjojblP2hSu
GVtZfD5JUDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
cnlwdC5vcmcvMB8GA1UdEQQYMBaCFHZvaXAxLmlmYS5oYXdhaWkuZWR1MEwGA1Ud
IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw
AHYAXNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF1fHhh9AAABAMA
RzBFAiEAxpI+NiPBW+f+oXRfZTTuHXpTW4tZh1RG2BJ6MBNRM9UCIBtu031bmL21
+aeb/P7nVpBFXUuZHmlThW1Sg46Q/tBmAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkz
v98MLyALzE7xZOMAAAF1fHhh8gAABAMARzBFAiEA2Yaf0MEdUJRyYOdr1otw6LWT
3cgyitLcK/5UEgqfjf0CIBcQA9GK9LMqvUWEwDRl4uSISzE7bbjVbsJu563q5UGL
MA0GCSqGSIb3DQEBCwUAA4IBAQAMFj4dBp+qJ7mrM4wV9znnDliMQZnIA/2QH1tP
dJZskP17uvPY1p6vAw5Z9zELiSBmd3ONYFcoZbXCSzG71AqRGPiQBI7wEyEto7so
QYpVDKD1zScASl+ZWorcM9GDizqby3v8jUYAKKwUPKFq6qXxtjDLjfjSymghkJsR
Cpf60tu8VXRBtMliryVWMQXk3z2yicYHIHuSPxstsJrGtVhFDq2OedwvVGMSvCgh
BniswjtAJ3oB21eB+XB5KMIAQK848E8YML4G8urCLMy9OmnLqnoUgdCju/S7/fkc
Q83kLndQhalNI4lediju26o2jiHJzboPtOpV+SKyOewVOB2F
-----END CERTIFICATE-----
There were a few mentions of this problem on the web, and one said changing
the security mode of the certs to 755 fixed his problem. But it didn't
work for me.
Thanks for any suggestions and help,
--Ruisheng
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20210126/39283615/attachment.html>
More information about the asterisk-users
mailing list