On 1/5/2011 1:16 PM, Matthew Kitchin (public/usenet) wrote: > On 10/7/2010 8:34 AM, Geoff Van Brunt wrote: >> I just did this yesterday in fact. I never could get the web gui >> working, except for the CA certs. That required exporting in base-64 >> format and then changing the file extension to crt from cer, otherwise >> they won't upload. I haven't gotten around to checking the tracker if an >> issue has been created or not yet. >> >> At that point I had a heck of a time trying to get the certs updated. I >> did this: >> >> mkdir $HOME/sslkeys >> cd $HOME/sslkeys >> /usr/bin/ssl-cert/gen-ssl-keys.sh >> >> I used the csr to generate a cert in our AD CA. One thing I had to do >> was create a custom template. The regular Web Server cert was only for >> Server Authentication purposes. The cert is also used in a client >> fashion by TLS so you need to duplicate the Computer template and change >> the security so only Admins can create the cert. Also you need to change >> Subject Name tab to "Supply in Request" so you can obtain from the web >> interface. >> > This is driving me absolutely crazy. I have built several 4.2.1 > servers with manual ssl cert installation. All of the sudden, I'm > having the exact same problem you mention above. I have no idea why. > See below for my error message. I have always selected web server > template, but for some reason I have this issue now on a new server. > The issued cert appears identical to the other ones that are working. > This is not entirely a sipx question, but it is related and could help > someone I suppose. By any chance is your cert server 2003 standard? I > created the new template, but I can't seem to figure out how to > publish the template. I've come across a few posts indicating it may > need to be 2003 enterprise or 2008 r2. Any other ideas how I can > resolve this? > > [r...@pbx ssl]# service sipxecs start > Checking bootstrap setup: [ OK ] > Checking TLS/SSL configuration: [FAILED] > sipXpbx: > sipXpbx: sipXpbx configuration problems found: > sipXpbx: > sipXpbx: Check TLS/SSL configuration > sipXpbx: Invalid as client certificate. > sipXpbx: /etc/sipxpbx/ssl/ssl.crt: > /C=US/ST=Tennessee/L=Nashville/O=DSI/OU=VoIP > Services/CN=pbx.in223.sipx.voip/[email protected] > sipXpbx: error 26 at 0 depth lookup:unsupported certificate purpose > sipXpbx: OK > sipXpbx: SSL certificates: /etc/sipxpbx/ssl/ssl.crt > sipXpbx: Check failed for /etc/sipxpbx/ssl/ssl.crt > I think I figured it out. I have only been copying over ssl-web.crt and ssl-web.key I have left ssl.crt and ssl.key alone. It wasn't on purpose, but that is what I was doing. I looked at some of my other systems and realized that was the case. I put the original ssl.crt and ssl.key back on this system, and it is ok now. I guess that means I'm unintentionally using 2 different certs for different purposes.... fun :) >> Copy the certs back to the sslkeys directory. Copy the crt and key files >> to //etc/sipxpbx/ssl. Rename them to ssl.crt and ssl.key. Copy them one >> more time and rename to ssl-web.crt and ssl-web.key. >> Delete the .keystore files. They no longer need to be generated by hand >> as SipX does it on startup if they are missing. >> >> Copy and CA and intermediate files to //etc/sipxpbx/ssl/authorities. >> /usr/bin/ssl-cert/ca_rehash >> >> Type "service sipxecs stop" >> Type "service sipxecs start" >> >> That got me a working server. >> >> That was mostly due to the information you provided previously (thank >> you) so I'm glad to give back. If you ever figure out how to upload via >> the gui, let me know. I tired with the key and cert that I manually >> generated and signed and it did not work even with the proper CA certs >> already uploaded... >> >> Geoff Van Brunt >> IT Manager >> DST Consulting Engineers >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
