On Wed, Dec 5, 2012 at 4:14 PM, Melcon Moraes <[email protected]> wrote:
> I'm having a hard time trying to update a certificate in my setup with two > boxes: > > - Primary server has all the roles, but ACD > - Secondary server has only ACD role > > I have read both wiki pages: > > http://wiki.sipfoundry.org/display/sipXecs/SSL+Certificates > http://wiki.sipfoundry.org/display/sipXecs/SSL+Keys+and+Keystores > > and tried the /usr/bin/ssl-cert/gen-ssl-keys.sh script as described by > the wiki. Everything is fine on primary but the certs on the second never > gets updated. I've already tried Sending profiles on System->Servers-> > <secondary server FQDN> and didn't work. > > On primary, if I try sipxproc -n <fqdn of secondary> I receive: > /usr/lib/ruby/1.8/net/http.rb:586:in `connect': certificate verify failed > (OpenSSL::SSL::SSLError) > > > At this point, I can't update any configuration on the secondary - in this > case, ACD settings, cause RPCs will fail on the SSL. > > How is the correct way to update certificates on all servers? Is the > removal/re-adding the secondary server the only way to reconfigure SSL on > it? > > What else do I need to check in both servers to find what's wrong. > In 4.4, when a secondary node is added, there is a script called "initial-config" that gets executed. initial-config script creates an archive <location_name>.tar.gz that contains certificates for the secondary host. The secondary host calls a service on primary and downloads this archive and unpacks it. Here is the fragment from this script that creates the certificates for the secondary host: # generate TLS credentials @SIPX_BINDIR@/ssl-cert/gen-ssl-keys.sh \ --newhost --workdir "@SIPX_VARDIR@/certdb" -d -s "${newHostname}" \ || exit 1 @SIPX_BINDIR@/ssl-cert/install-cert.sh \ --workdir "@SIPX_VARDIR@/certdb" --install-prefix "${INITIAL_CONFIG}" "${newHostname}" \ || exit 1 Hope this helps Mircea > > Thanks in advance. > > - > MM > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ >
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
