[OpenSIPS-Users] ERROR:tls_mgm:load_certificate: unable to load certificate
Mikhail
forfx at yandex.ru
Mon Apr 29 07:21:51 EDT 2019
Hello,
I have a problem with wss set up.
My steps:
set up centos 7
install opensips 2.4.5 from yum repo
install nginx and create certificate with letsencript
certbot certonly --standalone --agree-tos --email myemail at mysite.com
<mailto:myemail at mysite.com> --webroot -w /opt/www/ws -d ws.mysite.com
then I have 4 files in /etc/letsencrypt/live/ws.mysite.com
cert.pem chain.pem fullchain.pem privkey.pem
in opensips.cfg i added
listen=ws:ws.mysite.com:8088
listen=wss:ws.mysite.com:8443
loadmodule "proto_wss.so"
loadmodule "proto_ws.so"
loadmodule "proto_tls.so"
loadmodule "tls_mgm.so"
modparam("tls_mgm",
"certificate","/etc/letsencrypt/live/ws.mysite.com/fullchain.pem")
modparam("tls_mgm",
"private_key","/etc/letsencrypt/live/ws.mysite.com/privkey.pem")
modparam("tls_mgm", "verify_cert", "0")
modparam("tls_mgm", "require_cert", "0")
when I restart opensips it fails with messages
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:mod_init:
initializing TLS management
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:mod_init:
openssl version: OpenSSL 1.0.2k-fips 26 Jan 2017
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:mod_init:
disabling compression due ZLIB problems
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]:
INFO:tls_mgm:check_for_krb: KRB5 cipher KRB5-IDEA-CBC-SHA found
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]:
INFO:tls_mgm:init_tls_dom: Processing TLS domain 'default'
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]:
INFO:tls_mgm:init_ssl_ctx_behavior: client verification NOT activated.
Weaker security.
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]:
ERROR:tls_mgm:load_certificate: unable to load certificate file
'/etc/letsencrypt/live/ws.mysite.com/fullchain.pem'
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]:
ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: ERROR:core:init_mod:
failed to initialize module tls_mgm
I tried different combitations of tls_mgm params - verify_cert
require_cert tls_method without success,
by the way I found that tls_mgm dos'n know SSLv2 and SSLv3 -
tls_methods: ERROR:tls_mgm:tlsp_set_method: unsupported method [SSLv2],
but they are in doc at
https://opensips.org/html/docs/modules/2.2.x/tls_mgm.html#idp169376
I tried to make custom serificates according to
https://www.opensips.org/Documentation/Tutorials-TLS-2-2 with no luck
#modparam("tls_mgm", "certificate", "/root/tls_cnf/tls/user/user-cert.pem")
#modparam("tls_mgm", "private_key",
"/root/tls_cnf/tls/user/user-privkey.pem")
#modparam("tls_mgm", "ca_list", "/root/tls_cnf/tls/user/user-calist.pem")
and I tried built in sertificats:
#modparam("tls_mgm", "certificate", "/etc/opensips/tls/user/user-cert.pem")
#modparam("tls_mgm", "private_key",
"/etc/opensips/tls/user/user-privkey.pem")
#modparam("tls_mgm", "ca_list", "/etc/opensips/tls/user/user-calist.pem")
and with them opensips starts successfully, but webrtc clients based on
jsip and sip.js libs can't connect:
opensips.log:
/usr/sbin/opensips[30683]: ERROR:proto_wss:tls_accept: New TLS
connection from 111.111.111.111:41720 failed to accept
/usr/sbin/opensips[30683]: ERROR:proto_wss:tls_print_errstack: TLS
errstack: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
/usr/sbin/opensips[30683]: ERROR:proto_wss:wss_read_req: cannot fix read
connection
latest google chrome (74.0.3729.108) log:
sip-0.13.8.js:26437 WebSocket connection to 'wss://ws.mysite.com:8443/'
failed: Error in connection establishment: net::ERR_CERT_AUTHORITY_INVALID
I looked into sources and found that tls_mgm just calls openssl funcion
SSL_CTX_use_certificate_chain_file so it looks like that problem is in
openssl, but openssl is the latest from repo - OpenSSL 1.0.2k-fips
I tested serts with
openssl x509 -in /etc/letsencrypt/live/ws.mysite.com/fullchain.pem -text
and see no problem
I set up https site and browsers open it and show cert as ok.
so what is the difference between built in and letsencript certificates?
and how to solve the problem - this is the question.
Laba Mikhail
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190429/1868d371/attachment-0001.html>
More information about the Users
mailing list