[OpenSIPS-Users] ERROR:tls_mgm:load_certificate: unable to load certificate

Alexander Jankowsky E75A4669 at exemail.com.au
Mon Apr 29 08:37:10 EDT 2019 

 

Hello Mikhail,

 

If you are still just learning for yourself by experimenting and local circuit testing.

Then it really might help you to properly generate your own self signed certificates.

If you can search out how to do this yourself and to do just only that consistently.

Then you would be in a significantly better position in many other respects here.

I can tell you there is enough information around on the web to help you do this.

I can tell you I failed myself on my very first and several successive attempts.

I can tell you it is very simple and very easy once you find how to do this.

 

Alex

 

From: Users [mailto:users-bounces at lists.opensips.org] On Behalf Of Mikhail
Sent: Monday, 29 April 2019 8:52 PM
To: users at lists.opensips.org
Subject: [OpenSIPS-Users] ERROR:tls_mgm:load_certificate: unable to load certificate

 

Hello,

I have a problem with wss set up.

My steps:
set up centos 7
install opensips 2.4.5 from yum repo
install nginx and create certificate with letsencript
certbot certonly --standalone --agree-tos --email myemail at mysite.com <mailto:myemail at mysite.com>  --webroot -w /opt/www/ws -d ws.mysite.com

then I have 4 files in /etc/letsencrypt/live/ws.mysite.com
cert.pem chain.pem fullchain.pem privkey.pem 

in opensips.cfg i added
listen=ws:ws.mysite.com:8088
listen=wss:ws.mysite.com:8443
loadmodule "proto_wss.so"
loadmodule "proto_ws.so"
loadmodule "proto_tls.so"
loadmodule "tls_mgm.so"
modparam("tls_mgm", "certificate","/etc/letsencrypt/live/ws.mysite.com/fullchain.pem")
modparam("tls_mgm", "private_key","/etc/letsencrypt/live/ws.mysite.com/privkey.pem")
modparam("tls_mgm", "verify_cert", "0")
modparam("tls_mgm", "require_cert", "0")

when I restart opensips it fails with messages

Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:mod_init: initializing TLS management
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:mod_init: openssl version: OpenSSL 1.0.2k-fips 26 Jan 2017
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:mod_init: disabling compression due ZLIB problems
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:check_for_krb: KRB5 cipher KRB5-IDEA-CBC-SHA found
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:init_tls_dom: Processing TLS domain 'default'
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:init_ssl_ctx_behavior: client verification NOT activated. Weaker security.
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: ERROR:tls_mgm:load_certificate: unable to load certificate file '/etc/letsencrypt/live/ws.mysite.com/fullchain.pem'
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: ERROR:core:init_mod: failed to initialize module tls_mgm

I tried different combitations of tls_mgm params - verify_cert require_cert tls_method without success,
by the way I found that tls_mgm dos'n know SSLv2 and SSLv3 - tls_methods: ERROR:tls_mgm:tlsp_set_method: unsupported method [SSLv2], but they are in doc at https://opensips.org/html/docs/modules/2.2.x/tls_mgm.html#idp169376

I tried to make custom serificates according to https://www.opensips.org/Documentation/Tutorials-TLS-2-2 with no luck
#modparam("tls_mgm", "certificate", "/root/tls_cnf/tls/user/user-cert.pem")
#modparam("tls_mgm", "private_key", "/root/tls_cnf/tls/user/user-privkey.pem")
#modparam("tls_mgm", "ca_list", "/root/tls_cnf/tls/user/user-calist.pem")

and I tried built in sertificats:
#modparam("tls_mgm", "certificate", "/etc/opensips/tls/user/user-cert.pem")
#modparam("tls_mgm", "private_key", "/etc/opensips/tls/user/user-privkey.pem")
#modparam("tls_mgm", "ca_list", "/etc/opensips/tls/user/user-calist.pem")
and with them opensips starts successfully, but webrtc clients based on jsip and sip.js libs can't connect:
opensips.log:
/usr/sbin/opensips[30683]: ERROR:proto_wss:tls_accept: New TLS connection from 111.111.111.111:41720 failed to accept
/usr/sbin/opensips[30683]: ERROR:proto_wss:tls_print_errstack: TLS errstack: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
/usr/sbin/opensips[30683]: ERROR:proto_wss:wss_read_req: cannot fix read connection

latest google chrome (74.0.3729.108) log:
sip-0.13.8.js:26437 WebSocket connection to 'wss://ws.mysite.com:8443/' failed: Error in connection establishment: net::ERR_CERT_AUTHORITY_INVALID

I looked into sources and found that tls_mgm just calls openssl funcion SSL_CTX_use_certificate_chain_file so it looks like that problem is in openssl, but openssl is the latest from repo - OpenSSL 1.0.2k-fips
I tested serts with
openssl x509 -in /etc/letsencrypt/live/ws.mysite.com/fullchain.pem -text
and see no problem
I set up https site and browsers open it and show cert as ok.

so what is the difference between built in and letsencript certificates?
and how to solve the problem - this is the question.

Laba Mikhail

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190429/72287482/attachment.html>

More information about the Users mailing list