Re: [asterisk-users] Let's encrypt privkey : Specified certificate file could not be used

2017-06-03 Thread Jonas Kellens 

Hello James

I am running asterisk as root, just to 'disable' all issues related to 
file rights. So this should not be the problem.



Kind regards.


Op 03-06-17 om 08:09 schreef James Cloos:

"JK" == Jonas Kellens  writes:

JK> [Jun  2 14:29:28] ERROR[27360][C-0ae5]: res_rtp_asterisk.c:1441
JK> ast_rtp_dtls_set_configuration: Specified certificate file
JK> '/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' for RTP instance
JK> '0x7f920c538a78' could not be used

That error means that openssl's SSL_CTX_use_certificate_file() returned
an error.

The later error is just a result of that one.

Does the uid/gid used for asterisk have access to the key?

If the uid you use for asterisk is called asterisk, run this as root:

su -c 'cat /etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' - asterisk

If it fails, then the problem is permissions.

You may need to alter the permissions on /etc/letsencrypt to allow
non-root uids to access the symlinks and their targets.

-JimC


-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Let's encrypt privkey : Specified certificate file could not be used

2017-06-03 Thread James Cloos 
> "JK" == Jonas Kellens  writes:

JK> [Jun  2 14:29:28] ERROR[27360][C-0ae5]: res_rtp_asterisk.c:1441
JK> ast_rtp_dtls_set_configuration: Specified certificate file
JK> '/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' for RTP instance
JK> '0x7f920c538a78' could not be used

That error means that openssl's SSL_CTX_use_certificate_file() returned
an error.

The later error is just a result of that one.

Does the uid/gid used for asterisk have access to the key?

If the uid you use for asterisk is called asterisk, run this as root:

su -c 'cat /etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' - asterisk

If it fails, then the problem is permissions.

You may need to alter the permissions on /etc/letsencrypt to allow
non-root uids to access the symlinks and their targets.

-JimC
-- 
James Cloos  OpenPGP: 0x997A9F17ED7DAEA6



-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Let's encrypt privkey : Specified certificate file could not be used

2017-06-02 Thread Daniel Tryba 
On Fri, Jun 02, 2017 at 02:36:38PM +0200, Jonas Kellens wrote:
> [Jun  2 14:29:28]   == DTLS ECDH initialized (secp256r1), faster PFS enabled
> [Jun  2 14:29:28] ERROR[27360][C-0ae5]: res_rtp_asterisk.c:1441
> ast_rtp_dtls_set_configuration: Specified certificate file
> '/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' for RTP instance
> '0x7f920c538a78' could not be used

What size is the privatekey? There is a script to create cert for
asterisk:
https://github.com/asterisk/asterisk/blob/master/contrib/scripts/ast_tls_cert
It create a 1024b keypair, maybe for a good reason. Certbot its size is
2048 by default. Try adding --rsa-key-size 1024 (our signing a
"handcrafted" key)


-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] Let's encrypt privkey : Specified certificate file could not be used

2017-06-02 Thread Jonas Kellens 

Hello

I get the following error when using our Let's Encrypt ssl certificate 
for webRTC calls :


[Jun  2 14:29:28]   == DTLS ECDH initialized (secp256r1), faster PFS enabled
[Jun  2 14:29:28] ERROR[27360][C-0ae5]: res_rtp_asterisk.c:1441 
ast_rtp_dtls_set_configuration: Specified certificate file 
'/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' for RTP instance 
'0x7f920c538a78' could not be used
[Jun  2 14:29:28] ERROR[27360][C-0ae5]: chan_sip.c:5941 
dialog_initialize_dtls_srtp: Attempted to set an invalid DTLS-SRTP 
configuration on RTP instance '0x7f920c538a78'


(ws.mydomain.tld is of course masked)


Any idea why Asterisk has a problem with the certificate ?


Kind regards.


-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users