<p>Hi.</p>
<h1></h1>
<h1> 1- What is happening</h1>
<p>I have generated files needed to use TLS with OpenSIPS 2.2. CA, key, etc. However, the file cakey.pem is generated with some issue in the passphrase and can’t be loaded. In this case, OpenSIPs doesn't start. On the other hand, when I replace such files by others that I had generated in 2014, by following a tutorial from another system (RabbitMQ), I get success to start OpenSIPS.</p>
<h1></h1>
<h1>2 - How to reproduce the issue</h1>
<p>a - follow the instructions from page <a href="http://www.opensips.org/Documentation/Tutorials-TLS-2-1">http://www.opensips.org/Documentation/Tutorials-TLS-2-1</a><br>
b - use the OpenSIPS from the branch master (version 2.2)<br>
c - use a configuration like this:</p>
<p>loadmodule "proto_tls.so"<br>
modparam("proto_tls","verify_cert", "1")<br>
modparam("proto_tls","require_cert", "0")<br>
modparam("proto_tls","tls_method", "TLSv1")<br><br>
modparam("proto_tls", "certificate", "tls_cnf/tls/rootCA/cacert.pem")<br><br>
modparam("proto_tls", "private_key", "tls_cnf/tls/rootCA/private/cakey.pem")<br><br>
modparam("proto_tls", "ca_list", "tls_cnf/tls/rootCA/cacert.pem")<br><br>
modparam("proto_tls", "ca_dir", "tls_cnf/tls/rootCA/") </p>
<p>d - finally, try to start OpenSIPS</p>
<h1></h1>
<h1>3 - What is the log?</h1>
<p>In log, we can see:<br>
Jul 27 18:02:02 [13783] WARNING:proto_tls:mod_init: disabling compression due ZLIB problems<br>
...<br>
...<br>
Enter passphrase for tls_cnf/tls/rootCA/private/cakey.pem:<br>
Jul 27 18:02:02 [13783] ERROR:proto_tls:load_private_key: unable to load private key file 'tls_cnf/tls/rootCA/private/cakey.pem'.</p>
<h1></h1>
<h1>4 - How to prove that the problem exists</h1>
<p>a - go to the path tls_cnf/tls/rootCA/private/<br>
b - cp your_key your_key.bak<br>
c - openssl rsa -in your_key -out new_key<br>
d - mv new_key your_key<br>
e - finally, try to start OpenSIPS</p>
<h1></h1>
<h1>5 - Suggestion to workaround and test</h1>
<p>a - Create another files (CA, key, etc), but using openssl and others instructions. This others instructions can be seen below:</p>
<p>mkdir testca<br>
cd testca<br>
sudo mkdir certs private<br>
sudo chmod 700 private<br>
vi serial (edit this file and write 01 on it)<br>
sudo chmod 777 serial<br>
sudo touch index.txt<br>
sudo openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=OpenSIPSCA/ -nodes<br>
sudo openssl x509 -in cacert.pem -out cacert.cer -outform DER<br>
cd ..<br>
sudo mkdir server<br>
cd server<br>
sudo openssl genrsa -out key.pem 2048<br>
sudo openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=OpenSIPSServer/O=server/ -nodes<br>
cd ../testca<br>
sudo openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions<br>
cd ../server<br>
sudo openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:secretWord<br>
cd ..<br>
sudo mkdir client<br>
cd client<br>
sudo openssl genrsa -out key.pem 2048<br>
sudo openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=arm/O=client/ -nodes<br>
cd ../testca<br>
sudo openssl ca -config openssl.cnf -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions<br>
cd ../client</p>
<h1>sudo openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:secretWord</h1>
<p>The content of the file openssl.cnf, can be:</p>
<p>[ ca ]<br>
default_ca = testca</p>
<p>[ testca ]<br>
dir = .<br>
certificate = $dir/cacert.pem<br>
database = $dir/index.txt<br>
new_certs_dir = $dir/certs<br>
private_key = $dir/private/cakey.pem<br>
serial = $dir/serial</p>
<p>default_crl_days = 7<br>
default_days = 365<br>
default_md = sha1</p>
<p>policy = testca_policy<br>
x509_extensions = certificate_extensions</p>
<p>[ testca_policy ]<br>
commonName = supplied<br>
stateOrProvinceName = optional<br>
countryName = optional<br>
emailAddress = optional<br>
organizationName = optional<br>
organizationalUnitName = optional</p>
<p>[ certificate_extensions ]<br>
basicConstraints = CA:false</p>
<p>[ req ]<br>
default_bits = 2048<br>
default_keyfile = ./private/cakey.pem<br>
default_md = sha1<br>
prompt = yes<br>
distinguished_name = root_ca_distinguished_name<br>
x509_extensions = root_ca_extensions</p>
<p>[ root_ca_distinguished_name ]<br>
commonName = hostname</p>
<p>[ root_ca_extensions ]<br>
basicConstraints = CA:true<br>
keyUsage = keyCertSign, cRLSign</p>
<p>[ client_ca_extensions ]<br>
basicConstraints = CA:false<br>
keyUsage = digitalSignature<br>
extendedKeyUsage = 1.3.6.1.5.5.7.3.2</p>
<p>[ server_ca_extensions ]<br>
basicConstraints = CA:false<br>
keyUsage = keyEncipherment</p>
<h1></h1>
<p>Hopefully, this opened ticket will serve to help to solve the issue.</p>
<p>Best regards.<br>
Rodrigo Pimenta Carvalho.</p>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br>Reply to this email directly or <a href="https://github.com/OpenSIPS/opensips/issues/582">view it on GitHub</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/AFOciY3t9hWmV_bnljWR-m7R4ZE9jifoks5oh41-gaJpZM4FhP-J.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
<link itemprop="url" href="https://github.com/OpenSIPS/opensips/issues/582"></link>
<meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>