[asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error

Ruisheng Peng rpeng at ifa.hawaii.edu
Tue Jan 26 14:12:22 CST 2021


Hi,

  I'm experimenting with Asterisk-16.14.0 on a CentOS7 box, and run into
problems loading the SSL certificate to establish transport-tls.  Tried
self-signed certificate generated with ast_tls_cert under contrib/scripts
and the one issued by Letsencrypt, both would bomb out with a parsing error:

[Dec  3 15:47:50] ERROR[11233] res_pjsip/config_transport.c: Transport:
transport-tls: cert_file /home/asterisk/certs/asterisk.crt is either
missing or not readable

[Dec  3 15:47:50] ERROR[11233] config_options.c: Error parsing
cert_file=/home/asterisk/certs/asterisk.crt at line 24 of


What's interesting is that the self-signed asterisk.crt only has 20 lines.
For letsencrypt certificate (both cert.pem and fullchain.pem), it'd bomb
out at line 22.


Here's the transport section of my /etc/asterisk/pjsip.conf:


[transport-udp]

type = transport

protocol = udp

bind = 0.0.0.0


[transport-tls]

type = transport

protocol = tls

bind = 0.0.0.0

;cert_file = /home/asterisk/certs/cert.pem

;cert_file = /home/asterisk/certs/fullchain.pem

;priv_key_file = /home/asterisk/certs/privkey.pem

cert_file = /home/asterisk/certs/asterisk.crt

priv_key_file = /home/asterisk/certs/asterisk.key

allow_reload = true


And a full listing of /home/asterisk/certs:


-rw-r-----. 1 asterisk asterisk 1212 Dec  2 17:19 asterisk.crt

-rw-r-----. 1 asterisk asterisk  578 Dec  2 17:18 asterisk.csr

-rw-r-----. 1 asterisk asterisk  891 Dec  2 17:18 asterisk.key

-rw-r-----. 1 asterisk asterisk 2103 Dec  2 17:19 asterisk.pem

-rw-r-----. 1 asterisk asterisk 1749 Dec  2 17:18 ca.crt

-rw-r-----. 1 asterisk asterisk 3311 Dec  2 17:18 ca.key

-rw-r-----. 1 asterisk asterisk 1923 Nov 13 16:29 cert.pem

-rw-r-----. 1 asterisk asterisk 3570 Nov 13 15:11 fullchain.pem

-rw-r-----. 1 asterisk asterisk 1704 Nov 13 15:12 privkey.pem


The self-sign asterisk.crt:


-----BEGIN CERTIFICATE-----

MIIDUzCCATsCAQEwDQYJKoZIhvcNAQELBQAwMTEcMBoGA1UEAwwTQXN0ZXJpc2sg

UHJpdmF0ZSBDQTERMA8GA1UECgwIQXN0ZXJpc2swHhcNMjAxMjAzMDMxOTA2WhcN

MjExMjAzMDMxOTA2WjAyMR0wGwYDVQQDDBR2b2lwMS5pZmEuaGF3YWlpLmVkdTER

MA8GA1UECgwIQXN0ZXJpc2swgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOIn

CVUjv8qsDGdv8VJMEtmiMMK2HAdMnkUAv0BgEU6v0lB49xDQfHheb54MBVmyCArB

7CCwcqej3QtGVOUnLO/kGUd0YkFvFfpY+esnxCIeA5JVat15fo5d+gOYGMdfTlGQ

gPfYwagCvL94fOIrqEm/LU0vmUi487LSFJOrrcEfAgMBAAEwDQYJKoZIhvcNAQEL

BQADggIBANRCkcl1KTN3/Ez2j7VR0ZisGQVVqwfwLJlM4TtT44ukZPNKWc/BhMH4

XtXA71Np+0ePERcQDpj0gPEQyW0PfGAZT/AsClUmphBoGWTnM5NB23BDDwawm9Ym

aAddCm94aEe1gMwWJRaPqdWhkub9BS7KWWCkhdLwITryo+I0hSdD9ReXXODRPPyH

ybL8CtNRJjCHU8shyvxtrpinZJFHJj3GSWYVB15uUotAUWlpF6H8+Q41UJgJYeGO

11FlpCMrB4uI/V2c1GJP2RUtZIzzofeEGnsZD2egBt/z/oVPJq9aG7BKV5/19jwK

CW1fZ7V9FfBOVlXgB81cvwMKAE2SzBspcdefOTGzRJuPPPOeqxGz4lUVU2jeBdvn

NQWc//WeuOiAaRd65o5gtP9+3ghkbEUqT//tgt1kD26a2mmFNZr90eVhk59HpH5d

U4fIVANO6sINHlwRetdjxRNG43PhKgu+QSrvMba7mxsEINts+UP2pkQOXM1ft2V5

TaIl72dNZr4qni+nTa3GlMweLyIIhaYATl+kLE5kmPK0x32W57FE2j5elbKknOCj

s6oMBfBavq+yevFJD2gEmO/KSNYHes+6D6FjGFA9kBPInqg5Bf1rEnaRmGmxp1gZ

xPdN2lPLES+Z7aj57j6a+HnFRgRToGGovThd7IxczPxLhc6zL0f8

-----END CERTIFICATE-----


and Letsencrypt cert.pem:


-----BEGIN CERTIFICATE-----

MIIFYDCCBEigAwIBAgISA8qPXDAnBCnnOVm3CI9Z1H3WMA0GCSqGSIb3DQEBCwUA

MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD

ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMzEwMTI0MjVaFw0y

MTAxMjkwMTI0MjVaMB8xHTAbBgNVBAMTFHZvaXAxLmlmYS5oYXdhaWkuZWR1MIIB

IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAplxKSuYMpBWVAEJbDt+GRGSD

Q+XVswCQtw+QBOBPUYNEQtuJIdH9th8mdqf5ftCnQAbXeLiZLfI6S3kVtpPYRwHc

r9sK1SfUr2roRwIhED+7X0JKgbBcNCghsfzleWTDoRoJr9KF/OyIoMeuQC3fwI14

Tioto0SLMQIbqZFNEKiJeMv2BZmXJK0qPf2Ru/lFWH721vX8iwOc6ocXNw4+0OUB

lWbnFLXk9Nw2oW7OtDCQS9zqRALLUG3XvcIsAzcIw/SFoo4lCMdGESsUuILeUBkx

3TUHLtdJgCoahNANZwarXI/KWRNF1U9A8tX6iJwN+AXKJvoMgtBDYJ0noamOHwID

AQABo4ICaTCCAmUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB

BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQspfZL9VjojblP2hSu

GVtZfD5JUDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF

BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j

cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j

cnlwdC5vcmcvMB8GA1UdEQQYMBaCFHZvaXAxLmlmYS5oYXdhaWkuZWR1MEwGA1Ud

IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0

dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw

AHYAXNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF1fHhh9AAABAMA

RzBFAiEAxpI+NiPBW+f+oXRfZTTuHXpTW4tZh1RG2BJ6MBNRM9UCIBtu031bmL21

+aeb/P7nVpBFXUuZHmlThW1Sg46Q/tBmAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkz

v98MLyALzE7xZOMAAAF1fHhh8gAABAMARzBFAiEA2Yaf0MEdUJRyYOdr1otw6LWT

3cgyitLcK/5UEgqfjf0CIBcQA9GK9LMqvUWEwDRl4uSISzE7bbjVbsJu563q5UGL

MA0GCSqGSIb3DQEBCwUAA4IBAQAMFj4dBp+qJ7mrM4wV9znnDliMQZnIA/2QH1tP

dJZskP17uvPY1p6vAw5Z9zELiSBmd3ONYFcoZbXCSzG71AqRGPiQBI7wEyEto7so

QYpVDKD1zScASl+ZWorcM9GDizqby3v8jUYAKKwUPKFq6qXxtjDLjfjSymghkJsR

Cpf60tu8VXRBtMliryVWMQXk3z2yicYHIHuSPxstsJrGtVhFDq2OedwvVGMSvCgh

BniswjtAJ3oB21eB+XB5KMIAQK848E8YML4G8urCLMy9OmnLqnoUgdCju/S7/fkc

Q83kLndQhalNI4lediju26o2jiHJzboPtOpV+SKyOewVOB2F

-----END CERTIFICATE-----


There were a few mentions of this problem on the web, and one said changing
the security mode of the certs to 755 fixed his problem.  But it didn't
work for me.


  Thanks for any suggestions and help,


--Ruisheng
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20210126/39283615/attachment.html>


More information about the asterisk-users mailing list