On Thu, Feb 12, 2009 at 10:31 PM, M. Ranganathan <[email protected]> wrote:
> Hello,
>
> After installing sipx, I setup SSL Certificates using sipx-setup. This
> places a key and certificate in etc/sipxpbx/ssl i.e. ssl.crt ssl.key
> ssl.p12
>
> There is also a CA certificate which is placed in etc/sipxpbx/ssl/authorities
>
> I want to then install a new web certificate.
>
> After doing that, following the necessary procedures as outlined in
> XCF-3248, I find two new files : ssl-web.crt ssl-web.key in
> etc/sipxpbx/ssl
>
> No CA crt was added to authorities because, presumably only the web
> browser needs to know about the public key certificate of the
> certificate authority.
> I directly install the CA in the web browser and I am able to log in
> to sipx but I cannot communicate using XML RPC any longer.
>
> Looking at the XML RPC logs, I suspect that the public key certificate
> generated for the for the web browser ( i.e. ssl-web.crt ) is being
> used for the SSL handshake.
>
> For example, I see the following error :
>
> org.sipfoundry.sipxbridge.xmlrpc.SipXbridgeClientException:
> org.apache.xmlrpc.XmlRpcException: Failed to read servers response:
> sun.security.validator.ValidatorException: No trusted certificate
> found
> at
> org.sipfoundry.sipxbridge.xmlrpc.SipXbridgeXmlRpcClient.exit(SipXbridgeXmlRpcClient.java:144)
> at org.sipfoundry.sipxbridge.Gateway.main(Gateway.java:1219)
>
> And in the absence of a CA for that certificate (it is only installed
> in the web browser), I get the error above. This is of course not what
> I want. I want the server to continue to use ssl.crt for xml rpc but
> ssl-web.crt for the web browser.
> How can I arrange that?
>
> Ranga
Not sure if this bears any relevance to the matter :
create-ssl-keystore.sh :
----------------------------------------------------------------------------------------------------
if [ -f $WebCertificate ]; then
Certificate=$WebCertificate
fi
if [ -f $WebKey ]; then
Key=$WebKey
fi
if [ `uname -s` = FreeBSD ] ; then
MD5SUM="/sbin/md5 -r"
else
MD5SUM=md5sum
fi
Checksum=`cat $Certificate $Key | $MD5SUM | awk '{print $1}'`
if [ -f $KeyStoreFilesChecksum ]; then
if [ -f $KeyStore ]; then
PreviousChecksum=`cat $KeyStoreFilesChecksum`
if [ x"$Checksum" = x"$PreviousChecksum" ]; then
# Skip creating $KeyStore: previous checksum of contents matched
exit 0;
fi
fi
fi
and later down in the file (around line 116) I see :
rm -f $KeyStore 2> /dev/null
JavaCmd=`/usr/local/sipx/bin/sipx-config --java`
echo -e "$Password\n$Password" |
$JavaCmd \
-classpath /usr/local/sipx/share/java/sipXecs/sipXconfig/sipxconfig.jar \
org.mortbay.util.PKCS12Import $KeyStorePkcs12 $KeyStore > /dev/null 2>&1
---------------------------------------------------------------------------------------------------------
Seems to imply that if the web-keys are present, the keystore gets
recomputed (clobbering the old keystore? )
Can somebody help me understand what is going on here?
Thank you!
>
>
>
> --
> M. Ranganathan
>
--
M. Ranganathan
_______________________________________________
sipx-dev mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
