Hello Mikhail,
If you are still just learning for yourself by experimenting and local circuit testing. Then it really might help you to properly generate your own self signed certificates. If you can search out how to do this yourself and to do just only that consistently. Then you would be in a significantly better position in many other respects here. I can tell you there is enough information around on the web to help you do this. I can tell you I failed myself on my very first and several successive attempts. I can tell you it is very simple and very easy once you find how to do this. Alex From: Users [mailto:[email protected]] On Behalf Of Mikhail Sent: Monday, 29 April 2019 8:52 PM To: [email protected] Subject: [OpenSIPS-Users] ERROR:tls_mgm:load_certificate: unable to load certificate Hello, I have a problem with wss set up. My steps: set up centos 7 install opensips 2.4.5 from yum repo install nginx and create certificate with letsencript certbot certonly --standalone --agree-tos --email [email protected] <mailto:[email protected]> --webroot -w /opt/www/ws -d ws.mysite.com then I have 4 files in /etc/letsencrypt/live/ws.mysite.com cert.pem chain.pem fullchain.pem privkey.pem in opensips.cfg i added listen=ws:ws.mysite.com:8088 listen=wss:ws.mysite.com:8443 loadmodule "proto_wss.so" loadmodule "proto_ws.so" loadmodule "proto_tls.so" loadmodule "tls_mgm.so" modparam("tls_mgm", "certificate","/etc/letsencrypt/live/ws.mysite.com/fullchain.pem") modparam("tls_mgm", "private_key","/etc/letsencrypt/live/ws.mysite.com/privkey.pem") modparam("tls_mgm", "verify_cert", "0") modparam("tls_mgm", "require_cert", "0") when I restart opensips it fails with messages Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:mod_init: initializing TLS management Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:mod_init: openssl version: OpenSSL 1.0.2k-fips 26 Jan 2017 Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:mod_init: disabling compression due ZLIB problems Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:check_for_krb: KRB5 cipher KRB5-IDEA-CBC-SHA found Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:init_tls_dom: Processing TLS domain 'default' Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:init_ssl_ctx_behavior: client verification NOT activated. Weaker security. Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: ERROR:tls_mgm:load_certificate: unable to load certificate file '/etc/letsencrypt/live/ws.mysite.com/fullchain.pem' Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default' Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: ERROR:core:init_mod: failed to initialize module tls_mgm I tried different combitations of tls_mgm params - verify_cert require_cert tls_method without success, by the way I found that tls_mgm dos'n know SSLv2 and SSLv3 - tls_methods: ERROR:tls_mgm:tlsp_set_method: unsupported method [SSLv2], but they are in doc at https://opensips.org/html/docs/modules/2.2.x/tls_mgm.html#idp169376 I tried to make custom serificates according to https://www.opensips.org/Documentation/Tutorials-TLS-2-2 with no luck #modparam("tls_mgm", "certificate", "/root/tls_cnf/tls/user/user-cert.pem") #modparam("tls_mgm", "private_key", "/root/tls_cnf/tls/user/user-privkey.pem") #modparam("tls_mgm", "ca_list", "/root/tls_cnf/tls/user/user-calist.pem") and I tried built in sertificats: #modparam("tls_mgm", "certificate", "/etc/opensips/tls/user/user-cert.pem") #modparam("tls_mgm", "private_key", "/etc/opensips/tls/user/user-privkey.pem") #modparam("tls_mgm", "ca_list", "/etc/opensips/tls/user/user-calist.pem") and with them opensips starts successfully, but webrtc clients based on jsip and sip.js libs can't connect: opensips.log: /usr/sbin/opensips[30683]: ERROR:proto_wss:tls_accept: New TLS connection from 111.111.111.111:41720 failed to accept /usr/sbin/opensips[30683]: ERROR:proto_wss:tls_print_errstack: TLS errstack: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown /usr/sbin/opensips[30683]: ERROR:proto_wss:wss_read_req: cannot fix read connection latest google chrome (74.0.3729.108) log: sip-0.13.8.js:26437 WebSocket connection to 'wss://ws.mysite.com:8443/' failed: Error in connection establishment: net::ERR_CERT_AUTHORITY_INVALID I looked into sources and found that tls_mgm just calls openssl funcion SSL_CTX_use_certificate_chain_file so it looks like that problem is in openssl, but openssl is the latest from repo - OpenSSL 1.0.2k-fips I tested serts with openssl x509 -in /etc/letsencrypt/live/ws.mysite.com/fullchain.pem -text and see no problem I set up https site and browsers open it and show cert as ok. so what is the difference between built in and letsencript certificates? and how to solve the problem - this is the question. Laba Mikhail
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
