Scott - if there are issues, should they show up immediately? If you have to back out, is it still just as easy as regenerating the self signed cert? Sent via BlackBerry from T-Mobile
-----Original Message----- From: Grant Lang <[email protected]> Date: Wed, 20 Jan 2010 07:42:07 To: '[email protected]'<[email protected]>; [email protected]<[email protected]> Subject: RE: [sipx-users] SSL Cert help Hi, I have followed Scott's instructions below, converted the Go Daddy root and intermediate DER (exported from IE) certificates using OpenSSL and placed the two certificates into the authorities directory and then did a rehash, then restarted SipX. So far there are no errors in the sipx log directory and I can change the PIN with the TUI. Doing a reboot now to double check all settings and functionality are retained. So it looks like this might actually work. Anyone else care to try it and post results? Cheers Grant From: [email protected] [mailto:[email protected]] Sent: Wednesday, 20 January 2010 7:37 a.m. To: Grant Lang; [email protected] Subject: Re: [sipx-users] SSL Cert help That is as far as I made it. I stopped when Scott Lawrence wrote the part below. I'm just going to deal with the error messages until 4.2 I think. I'm out of time to to tinker with it. http://list.sipfoundry.org/archive/sipx-users/msg20684.html "You need to install the certificate chain for the authority that issued your SSL cert. The fact that there's no easy way to do this is one of the problems with using external certificates in 4.0. You can try this... get the certificate (or certificates... if the CA uses a chain, you need them all) from the CA in PEM format. Copy the certificates into the directory /etc/sipxpbx/ssl/authorities, and then run /usr/bin/ssl-cert/ca_rehash and restart your sipXecs processes. Warning: this feature is buggy. This may make things worse. If you need a reliable system, go back to the internal certs and wait for 4.2" On 1/19/2010 12:03 PM, Grant Lang wrote: Hi, Yup that's a problem. There are errors in that log around not being able to find the Go Daddy Certificate: OsSSL::verifyCallback invalid certificate at depth 0 error='unable to get local issuer certificate' issuer='/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287' Question is what could we do to fix it? Changing the PIN from the GUI works fine, what else could it possibly affect? Cheers Grant ________________________________ From: [email protected]<mailto:[email protected]> [[email protected]<mailto:[email protected]>] Sent: Wednesday, 20 January 2010 7:00 a.m. To: Grant Lang Cc: Tony Graziano; [email protected]<mailto:[email protected]> Subject: Re: [sipx-users] SSL Cert help Look in /var/log/sipxpbx/mediaserver_cgi.log On 1/19/2010 11:58 AM, Grant Lang wrote: Hi, sipxproc looks fine to me but I cannot seem to change the PIN using a phone: [r...@sipxserver ~]# sipxproc -state {"tate"=>false} [r...@sipxserver ~]# sipxproc {"FreeSWITCH"=>"Running", "sipXmrtg"=>"Running", "SIPRegistrar"=>"Running", "ParkServer"=>"Running", "ConfigAgent"=>"Running", "CallResolver"=>"Running", "ACDServer"=>"Running", "SIPStatus"=>"Running", "ConfigServer"=>"Running", "CallResolver-Agent"=>"Disabled", "SipXbridge"=>"Running", "MediaServer"=>"Running", "sipXivr"=>"Running", "PageServer"=>"Running", "PresenceServer"=>"Running", "ResourceListServer"=>"Running", "SipXrelay"=>"Running", "SIPXProxy"=>"Running"} [r...@sipxserver ~]# However the installation might not be perfect as I have been messing with it around the certificates, so a fresh install and re-test will be next to make sure that changing the certificate does work as expected. Cheers Grant ________________________________ From: Tony Graziano [[email protected]<mailto:[email protected]>] Sent: Tuesday, 19 January 2010 10:28 p.m. To: Grant Lang Cc: Jeff Gilmore; [email protected]<mailto:[email protected]> Subject: Re: [sipx-users] SSL Cert help does: sipxproc --state show anything strange? Are you able to change your voicemail pin from a handset after doing this? On Tue, Jan 19, 2010 at 2:06 AM, Grant Lang <[email protected]<mailto:[email protected]>> wrote: Hi, I think I have a possible solution. I was reading through some of the files and posts and there was an important statement, not sure on the relevance, but here goes. Following Jeff's instructions create a GoDaddy certificate in /root/sslcert (or where ever) and run all the commands up to the last one but don't install it. The important part I read was that the Web Certs aren't checked against the installed CA installed in the authorities directory, so in the /etc/sipxpbx/ssl directory rename the three *-web.* files and replace with the relevant GoDaddy cert files naming them to ssl-web.* (where * is crt or keystore or key) . I did this, restarted SipXecs services and everything I have tested works, along with having a SSL browser that validates the CA etc no problem. I then rebooted and everything still works as expected. I expect this will work with any SSL cert where a relevant CA is available like an MS CA or in my case an external CA. Now I haven't tested absolutely everything so those out there that want to test please post findings. Perhaps this is what the Web Certificates page is for, but it doesn't work. Cheers Grant From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Jeff Gilmore Sent: Tuesday, 19 January 2010 7:55 a.m. To: [email protected]<mailto:[email protected]> Subject: Re: [sipx-users] SSL Cert help Thanks all for insights. I'm not sure what went wrong, but have successfully backed out of it by simply running /usr/bin/ssl-cert/gen-ssl-keys.sh then /usr/bin/ssl-cert/install-cert.sh. My copy of /usr/bin/ssl-cert/gen-ssl-keys.sh still has the 2048 byte key change, and it seemed to work OK. I'll live with the browser warnings for now... Jeff _______________________________________________ sipx-users mailing list [email protected]<mailto:[email protected]> List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/ -- ====================== Tony Graziano, Manager Telephone: 434.984.8430 Fax: 434.984.8431 Email: [email protected]<mailto:[email protected]> LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 Fax: 434.984.8427 Helpdesk Contract Customers: http://www.myitdepartment.net/gethelp/ Why do mathematicians always confuse Halloween and Christmas? Because 31 Oct = 25 Dec. _______________________________________________ sipx-users mailing list [email protected]<mailto:[email protected]> List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
