Scott, Replies in-line:
> On Tue, 2009-12-01 at 11:57 -0800, jnolen wrote: > > Scott, > > > > Success. Started over and regenerated certificates. > > Great. > > > If I can indulge you with a few more questions. In the past, > > certificates were generated as root. I had to change ownership of: > > > > authorities.jks > > ca.hyipt1.hyoung.voice.key > > ca.hyipt1.hyoung.voice.ser > > > > to sipxchange. > > You had to change those why? and when? When I ran /usr/libexec/sipXecs/initial-config <hostname> as user sipxchange, the installation failed with permission errors on those 3 files: Generating X.509 certificate signed by ca.hyipt1.hyoung.voice Signature ok subject=/C=ke/ST=Nairobi/L=Nairobi/O=hyoung/OU=VoIP Services/CN=hyipt2.hyoung.voice/[email protected] Getting CA Private Key Error opening CA Private Key ca.hyipt1.hyoung.voice.key 20324:error:0200100D:system library:fopen:Permission denied:bss_file.c:352:fopen('ca.hyipt1.hyoung.voice.key','r') 20324:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: unable to load CA Private Key gen-ssl-keys.sh:Error: Failed to generate X.509 certificate > > > Should certs now be generated as user sipxchange? > > The certificate authority and the certificate for the master system are > generated as root in the setup script (sipxecs-setup or > sipxecs-setup-system, depending on whether you installed from rpms or > the iso respectively). Understood. I generated the certificates as root, here were the initial ownerships and permissions after generation: -rw-r--r-- 1 root root 2100 Dec 1 22:42 authorities.jks -rw-r--r-- 1 root root 2264 Dec 1 22:21 ca.hyipt1.hyoung.voice.crt -rw-r--r-- 1 root root 1078 Dec 1 22:21 ca.hyipt1.hyoung.voice.csr -rw-r--r-- 1 root root 1060 Dec 1 22:21 ca.hyipt1.hyoung.voice.der -rw------- 1 root root 1675 Dec 1 22:21 ca.hyipt1.hyoung.voice.key -rw-r--r-- 1 root root 9 Dec 1 22:42 ca.hyipt1.hyoung.voice.ser -rw-r--r-- 1 root root 2133 Dec 1 22:21 hyipt1.hyoung.voice.crt -rw-r--r-- 1 root root 200 Dec 1 22:21 hyipt1.hyoung.voice_crt.cfg -rw-r--r-- 1 root root 867 Dec 1 22:21 hyipt1.hyoung.voice.csr -rw-r----- 1 root root 887 Dec 1 22:21 hyipt1.hyoung.voice.key -rw-r--r-- 1 root root 2769 Dec 1 22:21 hyipt1.hyoung.voice.keystore -rw-r--r-- 1 root root 3212 Dec 1 22:21 hyipt1.hyoung.voice.p12 -rw-r--r-- 1 sipxchange sipxchange 2133 Dec 1 22:42 hyipt2.hyoung.voice.crt -rw-r--r-- 1 sipxchange sipxchange 200 Dec 1 22:42 hyipt2.hyoung.voice_crt.cfg -rw-r--r-- 1 sipxchange sipxchange 867 Dec 1 22:42 hyipt2.hyoung.voice.csr -rw-r--r-- 1 sipxchange sipxchange 917 Dec 1 22:42 hyipt2.hyoung.voice.der -rw-r----- 1 sipxchange sipxchange 891 Dec 1 22:42 hyipt2.hyoung.voice.key -rw-r--r-- 1 sipxchange sipxchange 2772 Dec 1 22:42 hyipt2.hyoung.voice.keystore -rw-r--r-- 1 sipxchange sipxchange 3212 Dec 1 22:42 hyipt2.hyoung.voice.p12 -rw-r--r-- 1 root root 2048 Dec 1 22:21 rnd_seed -rw-r--r-- 1 root root 224 Dec 1 22:21 SSL_DEFAULTS > > > Must the caName be the fqdn of the master and NOT the domain name? > > The caName can be anything you want if you run the gen-ssl-keys.sh > directly - its name is essentially arbitrary (although, since it is used > as part of a file name, there are some values that wouldn't work - don't > get cute). The setup scripts use 'ca.' + the fully qualified hostname > of the master more or less arbitrarily (it's unlikely to collide with > values generated elsewhere). Thanks. I'm asking simply so it's clear how to recover if I run into this again on an upgrade. Thanks again for the help, jim _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
