Sorry to bring this back up, but I am struggling again and not sure what to do.
I am trying to use my actual private key and cert from Peering Hub and I keep getting: SJWTRetErrPrvKeyInvalid = -151 I have done the following: openssl ec -in private.pem -check read EC key EC Key valid. writing EC key openssl x509 -text -noout -in public.crt and it shows the cert information and it is valid. I have kamailio:kamailio as the key/cert owners with chmod 640 permissions Does it matter that my cert is using .crt and not .pem? Any suggestions on what to do from here? This is working with libstirshaken but I am trying to migrate to secsipid. Thanks for any assistance! On Thu, Jun 20, 2024 at 9:33 PM Blake Ivey <[email protected]> wrote: > Disregard. It was my mistake. I had sp_key.pem in my kamailio config when > it was actually sp-key.pem. Doh. Took me way too long to see my mistake but > it is working now and adding the identity. Thanks for the help everyone! > > On Thu, Jun 20, 2024 at 8:43 PM Blake Ivey <[email protected]> wrote: > >> Thanks for the replies. I think I am understanding it better now. My >> issue now is I am getting this error: >> >> ERROR: {1 84911190 INVITE 9eea2bb8-aa08-123d-c0b5-5a8b7787aa29} secsipid >> [secsipid_mod.c:444]: ki_secsipid_add_identity_mode(): failed to get >> identity header body (-451) >> >> -451 = SJWTRetErrFileRead which I assume is either the certificate or the >> private key. I am able to download the certificate using the URL so I guess >> the key? I have permissions on the key as 600 (-rw-------) and the >> user:group for it is kamailio. >> >> It's still a self signed but I generated it with the TNAuthList, etc like >> a production certificate. I have stir/shaken working on s production >> machine but it uses libstirshaken and not secsipid. >> >> Output of cert: >> >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: >> 35:a4:66:b0:ec:7b:3a:f2:e8:e4:fd:0d:f4:cc:56:f2:2c:0b:32:4d >> Signature Algorithm: ecdsa-with-SHA256 >> Issuer: C = US, ST = ME, L = New York, O = Bobs Phone Company, CN >> = sip-test.mydomain.net >> Validity >> Not Before: Jun 21 00:03:27 2024 GMT >> Not After : Sep 24 00:03:27 2026 GMT >> Subject: C = US, ST = VA, L = Somewhere, O = "AcmeTelecom, Inc.", >> OU = VOIP, CN = SHAKEN >> Subject Public Key Info: >> Public Key Algorithm: id-ecPublicKey >> Public-Key: (256 bit) >> pub: >> 04:b8:3f:ac:45:14:65:05:1f:df:bd:f4:3c:e5:39: >> 33:66:c4:06:59:90:8a:05:be:76:c2:55:49:48:95: >> 62:3d:7f:25:20:77:d2:fa:4d:60:eb:d8:72:d9:a8: >> a1:40:e0:51:ad:aa:d0:d3:4b:f1:03:4c:42:b6:d5: >> 01:0c:fb:48:b0 >> ASN1 OID: prime256v1 >> NIST CURVE: P-256 >> X509v3 extensions: >> 1.3.6.1.5.5.7.1.26: >> 0.....1001 >> X509v3 Subject Key Identifier: >> >> 9C:54:1E:90:7E:5D:58:F3:52:81:2F:E0:13:D6:2D:C2:FE:AE:A9:FB >> X509v3 Authority Key Identifier: >> >> 84:95:50:31:A8:E6:FE:EC:76:C6:C5:1C:EB:79:E5:AC:A8:54:CD:1C >> Signature Algorithm: ecdsa-with-SHA256 >> Signature Value: >> 30:46:02:21:00:b0:24:88:8e:cf:27:88:d0:d2:9c:c5:6b:2b: >> d3:c0:88:b1:2f:a6:da:fe:5b:fe:c8:41:f6:02:34:e1:99:eb: >> 69:02:21:00:9d:63:32:bc:0f:10:24:80:67:e3:c6:84:84:6d: >> c5:1a:d1:03:2b:19:34:34:34:51:a5:b6:64:9b:9f:db:eb:cb >> >> >> On Thu, Jun 20, 2024 at 5:33 PM David Villasmil < >> [email protected]> wrote: >> >>> this is what i do (i have a redirect server receive the INVITEs to be >>> signed, I add the header and then do 302, the initiating server then add it >>> to the INVITE and sends the invite out: >>> >>> if ($rm=="INVITE") { >>> $var(rc) = secsipid_add_identity("$(var(from){s.numeric})", >>> "$(var(to){s.numeric})", "A", "", " >>> https://pki.domain.com/stir-shaken-cert.pem";, >>> "/etc/kamailio/ec256-private.pem"); >>> >>> if ( $var(rc) > 0 ) { >>> msg_apply_changes(); >>> } else { >>> update_stat("stirshaken_create_identity_failed","+1"); >>> send_reply("503", "Service Unavailable - can not create Identity >>> header"); >>> exit; >>> } >>> >>> append_to_reply("Identity: $hdr(Identity)\r\n"); >>> } >>> sl_send_reply("302", "Redirect"); >>> exit; >>> >>> >>> hope that helps >>> >>> Regards, >>> >>> David Villasmil >>> email: [email protected] >>> >>> >>> >>> On Thu, Jun 20, 2024 at 11:14 PM Blake Ivey via sr-users < >>> [email protected]> wrote: >>> >>>> Hmm you are correct. I took it out and it started fine. So what exactly >>>> would I need for our outbound stirshaken? >>>> >>>> Just secsipid_add_identity? >>>> >>>> I guess I've been looking at this for too long today. Just lines and >>>> lines after a while. >>>> >>>> On Thu, Jun 20, 2024, 4:47 PM Ben Kaufman <[email protected]> wrote: >>>> >>>>> Except for `expire` and `timeout`, those parameters don’t exist for >>>>> secsip id- at least according to the module documentation: >>>>> https://kamailio.org/docs/modules/stable/modules/secsipid >>>>> >>>>> >>>>> >>>>> Regards, >>>>> >>>>> Kaufman >>>>> >>>>> >>>>> >>>>> *From:* Blake Ivey <[email protected]> >>>>> *Sent:* Thursday, June 20, 2024 3:39 PM >>>>> *To:* Ben Kaufman <[email protected]> >>>>> *Cc:* [email protected] >>>>> *Subject:* Re: [SR-Users] SecSIPID Assistance >>>>> >>>>> >>>>> >>>>> *CAUTION:* This email originated from outside the organization. *Do >>>>> not click links or open attachments* unless you recognize the sender >>>>> and know the content is safe. >>>>> >>>>> >>>>> >>>>> Sorry for the formatting: >>>>> >>>>> ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter >>>>> <private_key> of type <1:string> not found in module <secsipid> >>>>> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse >>>>> error in config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't >>>>> set module parameter >>>>> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse >>>>> error in config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't >>>>> set module parameter >>>>> kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): >>>>> parameter <key_path> of type <1:string> not found in module <secsipid> >>>>> >>>>> >>>>> >>>>> On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman <[email protected]> wrote: >>>>> >>>>> What is the error you’re getting? >>>>> >>>>> >>>>> >>>>> Regards, >>>>> >>>>> Kaufman >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> *From:* Blake Ivey via sr-users <[email protected]> >>>>> *Sent:* Thursday, June 20, 2024 3:14 PM >>>>> *To:* Kamailio (SER) - Users Mailing List <[email protected] >>>>> > >>>>> *Cc:* Blake Ivey <[email protected]> >>>>> *Subject:* [SR-Users] SecSIPID Assistance >>>>> >>>>> >>>>> >>>>> *CAUTION:* This email originated from outside the organization. *Do >>>>> not click links or open attachments* unless you recognize the sender >>>>> and know the content is safe. >>>>> >>>>> >>>>> >>>>> Hi everyone. Wanting to see if someone could point me in the right >>>>> direction. Still very knew to Kamailio but I am beginning to understand it >>>>> better. I'm making an outbound proxy and have everything working well >>>>> besides stir/shaken. I'm looking at the module page and have went back and >>>>> forth with chatGPT and can't seem to figure this part out. I keep getting >>>>> errors on the modparam lines. >>>>> >>>>> >>>>> >>>>> Obviously this is a self signed cert because I'm just testing. I am >>>>> able to reach and download the cert from the Web server. >>>>> >>>>> >>>>> >>>>> Thank you for any assistance. >>>>> >>>>> >>>>> >>>>> # SECSIPID for Stir/Shaken >>>>> >>>>> modparam("secsipid", "private_key", >>>>> "/etc/kamailio/secsipid/private.key") >>>>> >>>>> modparam("secsipid", "certificate", "/etc/kamailio/secsipid/cert.crt") >>>>> >>>>> modparam("secsipid", "authority_cert", "/etc/kamailio/secsipid/ca.crt") >>>>> >>>>> modparam("secsipid", "expire", 600) modparam("secsipid", "timeout", 2) >>>>> >>>>> >>>>> >>>>> route[STIRSHAKEN] { >>>>> >>>>> if (is_method("INVITE")) { >>>>> >>>>> if (!secsipid_add_identity("$fU", "$rU", "A", "", " >>>>> http://myIPaddress.com/stir_shaken_cert.crt >>>>> <http://myipaddress.com/stir_shaken_cert.crt>", >>>>> "/etc/kamailio/secsipid/private.key")) { >>>>> >>>>> xlog("L_ERR", "Failed to sign call with ID: $ci - From: >>>>> $fU\n"); >>>>> >>>>> send_reply("500", "Internal Server Error"); >>>>> >>>>> exit; >>>>> >>>>> } else { >>>>> >>>>> xlog("L_INFO", "Successfully signed call with ID: $ci - >>>>> From: $fU\n"); >>>>> >>>>> } >>>>> >>>>> } >>>>> >>>>> >>>>> >>>>> # Relay the call after signing >>>>> >>>>> route(RELAY); >>>>> >>>>> } >>>>> >>>>> >>>>> >>>>> __________________________________________________________ >>>> Kamailio - Users Mailing List - Non Commercial Discussions >>>> To unsubscribe send an email to [email protected] >>>> Important: keep the mailing list in the recipients, do not reply only >>>> to the sender! >>>> Edit mailing list options or unsubscribe: >>>> >>>
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
