[OpenSIPS-Devel] [opensips] File Cakey.pem is being generated with an error. Cann't be loaded. (#582)

xrodpim notifications at github.com
Tue Jul 28 16:47:26 CEST 2015 

Hi.

=============================
 1-   What is happening
==============================
I have generated files needed to use TLS with OpenSIPS 2.2. CA, key, etc. However, the file cakey.pem is generated with some issue in the passphrase and can’t be loaded. In this case, OpenSIPs doesn't start. On the other hand, when I replace such files by others that I had generated in 2014, by following a tutorial from another system (RabbitMQ), I get success to start OpenSIPS.

=============================
2 - How to reproduce the issue
=============================
a - follow the instructions from page http://www.opensips.org/Documentation/Tutorials-TLS-2-1
b - use the OpenSIPS from the branch master (version 2.2)
c - use a configuration like this:

loadmodule "proto_tls.so"
modparam("proto_tls","verify_cert", "1")
modparam("proto_tls","require_cert", "0")
modparam("proto_tls","tls_method", "TLSv1")  
 modparam("proto_tls", "certificate", "tls_cnf/tls/rootCA/cacert.pem")              
 modparam("proto_tls", "private_key", "tls_cnf/tls/rootCA/private/cakey.pem")       
 modparam("proto_tls", "ca_list", "tls_cnf/tls/rootCA/cacert.pem")                 
 modparam("proto_tls", "ca_dir", "tls_cnf/tls/rootCA/")                             

d - finally, try to start OpenSIPS

================================
3 - What is the log?
================================
In log, we can see:
Jul 27 18:02:02 [13783] WARNING:proto_tls:mod_init: disabling compression due ZLIB problems
...
...
Enter passphrase for tls_cnf/tls/rootCA/private/cakey.pem:
Jul 27 18:02:02 [13783] ERROR:proto_tls:load_private_key: unable to load private key file 'tls_cnf/tls/rootCA/private/cakey.pem'.

================================
4 - How to prove that the problem exists
================================
a - go to the path tls_cnf/tls/rootCA/private/
b - cp your_key your_key.bak
c - openssl rsa -in your_key -out new_key
d - mv new_key your_key
e - finally, try to start OpenSIPS

===============================
5 - Suggestion to workaround and test
================================
a - Create another files (CA, key, etc), but using openssl and others instructions. This others instructions can be seen below:


mkdir testca
cd testca
sudo mkdir certs private
sudo chmod 700 private
vi serial (edit this file and write 01 on it)
sudo chmod 777 serial
sudo touch index.txt
sudo openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=OpenSIPSCA/ -nodes
sudo openssl x509 -in cacert.pem -out cacert.cer -outform DER
cd ..
sudo mkdir server
cd server
sudo openssl genrsa -out key.pem 2048
sudo openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=OpenSIPSServer/O=server/ -nodes
cd ../testca
sudo openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
cd ../server
sudo openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:secretWord
cd ..
sudo mkdir client
cd client
sudo openssl genrsa -out key.pem 2048
sudo openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=arm/O=client/ -nodes
cd ../testca
sudo openssl ca -config openssl.cnf -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions
cd ../client
sudo openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:secretWord
===============================================================================

The content of the file openssl.cnf, can be:

[ ca ]
default_ca = testca

[ testca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial

default_crl_days = 7
default_days = 365
default_md = sha1

policy = testca_policy
x509_extensions = certificate_extensions

[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional

[ certificate_extensions ]
basicConstraints = CA:false

[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha1
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions

[ root_ca_distinguished_name ]
commonName = hostname

[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign

[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment


============================================================================

Hopefully, this opened ticket will serve to help to solve the issue.

Best regards.
Rodrigo Pimenta Carvalho.

---
Reply to this email directly or view it on GitHub:
https://github.com/OpenSIPS/opensips/issues/582
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/devel/attachments/20150728/f6258ebd/attachment-0001.htm>

More information about the Devel mailing list