<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>
Hello,<br>
</p>
<p>
I have a problem with wss set up.</p>
<p>
My steps:<br>
set up centos 7<br>
install opensips 2.4.5 from yum repo<br>
install nginx and create certificate with letsencript<br>
certbot certonly --standalone --agree-tos --email <a
href="mailto:myemail@mysite.com" title="myemail@mysite.com"
class="mailto">myemail@mysite.com</a> --webroot -w /opt/www/ws
-d ws.mysite.com<br>
</p>
<p>
then I have 4 files in /etc/letsencrypt/live/ws.mysite.com<br>
cert.pem chain.pem fullchain.pem privkey.pem <br>
</p>
<p>
in opensips.cfg i added<br>
listen=<a class="moz-txt-link-freetext" href="ws:ws.mysite.com:8088">ws:ws.mysite.com:8088</a><br>
listen=<a class="moz-txt-link-freetext" href="wss:ws.mysite.com:8443">wss:ws.mysite.com:8443</a><br>
loadmodule "proto_wss.so"<br>
loadmodule "proto_ws.so"<br>
loadmodule "proto_tls.so"<br>
loadmodule "tls_mgm.so"<br>
modparam("tls_mgm",
"certificate","/etc/letsencrypt/live/ws.mysite.com/fullchain.pem")<br>
modparam("tls_mgm",
"private_key","/etc/letsencrypt/live/ws.mysite.com/privkey.pem")<br>
modparam("tls_mgm", "verify_cert", "0")<br>
modparam("tls_mgm", "require_cert", "0")<br>
</p>
<p>
when I restart opensips it fails with messages<br>
</p>
<p>
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]:
<a class="moz-txt-link-freetext" href="INFO:tls_mgm:mod_init">INFO:tls_mgm:mod_init</a>: initializing TLS management<br>
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]:
<a class="moz-txt-link-freetext" href="INFO:tls_mgm:mod_init">INFO:tls_mgm:mod_init</a>: openssl version: OpenSSL 1.0.2k-fips 26 Jan
2017<br>
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]:
<a class="moz-txt-link-freetext" href="INFO:tls_mgm:mod_init">INFO:tls_mgm:mod_init</a>: disabling compression due ZLIB problems<br>
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]:
<a class="moz-txt-link-freetext" href="INFO:tls_mgm:check_for_krb">INFO:tls_mgm:check_for_krb</a>: KRB5 cipher KRB5-IDEA-CBC-SHA found<br>
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]:
<a class="moz-txt-link-freetext" href="INFO:tls_mgm:init_tls_dom">INFO:tls_mgm:init_tls_dom</a>: Processing TLS domain 'default'<br>
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]:
<a class="moz-txt-link-freetext" href="INFO:tls_mgm:init_ssl_ctx_behavior">INFO:tls_mgm:init_ssl_ctx_behavior</a>: client verification NOT
activated. Weaker security.<br>
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]:
ERROR:tls_mgm:load_certificate: unable to load certificate file
'/etc/letsencrypt/live/ws.mysite.com/fullchain.pem'<br>
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]:
ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain
'default'<br>
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]:
ERROR:core:init_mod: failed to initialize module tls_mgm<br>
</p>
<p>
I tried different combitations of tls_mgm params - verify_cert
require_cert tls_method without success,<br>
by the way I found that tls_mgm dos'n know SSLv2 and SSLv3 -
tls_methods: ERROR:tls_mgm:tlsp_set_method: unsupported method
[SSLv2], but they are in doc at
<a class="moz-txt-link-freetext" href="https://opensips.org/html/docs/modules/2.2.x/tls_mgm.html#idp169376">https://opensips.org/html/docs/modules/2.2.x/tls_mgm.html#idp169376</a><br>
</p>
<p>
I tried to make custom serificates according to <a
href="https://www.opensips.org/Documentation/Tutorials-TLS-2-2"
title="https://www.opensips.org/Documentation/Tutorials-TLS-2-2"
class="https">https://www.opensips.org/Documentation/Tutorials-TLS-2-2</a>
with no luck<br>
#modparam("tls_mgm", "certificate",
"/root/tls_cnf/tls/user/user-cert.pem")<br>
#modparam("tls_mgm", "private_key",
"/root/tls_cnf/tls/user/user-privkey.pem")<br>
#modparam("tls_mgm", "ca_list",
"/root/tls_cnf/tls/user/user-calist.pem")<br>
</p>
<p>
and I tried built in sertificats:<br>
#modparam("tls_mgm", "certificate",
"/etc/opensips/tls/user/user-cert.pem")<br>
#modparam("tls_mgm", "private_key",
"/etc/opensips/tls/user/user-privkey.pem")<br>
#modparam("tls_mgm", "ca_list",
"/etc/opensips/tls/user/user-calist.pem")<br>
and with them opensips starts successfully, but webrtc clients
based on jsip and sip.js libs can't connect:<br>
opensips.log:<br>
/usr/sbin/opensips[30683]: ERROR:proto_<a class="moz-txt-link-freetext" href="wss:tls_accept">wss:tls_accept</a>: New TLS
connection from 111.111.111.111:41720 failed to accept<br>
/usr/sbin/opensips[30683]: ERROR:proto_<a class="moz-txt-link-freetext" href="wss:tls_print_errstack">wss:tls_print_errstack</a>: TLS
errstack: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown<br>
/usr/sbin/opensips[30683]: ERROR:proto_<a class="moz-txt-link-freetext" href="wss:wss_read_req">wss:wss_read_req</a>: cannot
fix read connection<br>
</p>
<p>
latest google chrome (74.0.3729.108) log:<br>
sip-0.13.8.js:26437 WebSocket connection to '<a
title="wss://ws.mysite.com:8443/" class="wss">wss://ws.mysite.com:8443/</a>'
failed: Error in connection establishment:
net::ERR_CERT_AUTHORITY_INVALID<br>
</p>
<p>
I looked into sources and found that tls_mgm just calls openssl
funcion SSL_CTX_use_certificate_chain_file so it looks like that
problem is in openssl, but openssl is the latest from repo -
OpenSSL 1.0.2k-fips<br>
I tested serts with<br>
openssl x509 -in /etc/letsencrypt/live/ws.mysite.com/fullchain.pem
-text<br>
and see no problem<br>
I set up https site and browsers open it and show cert as ok.<br>
</p>
<p>
</p>
<p>
so what is the difference between built in and letsencript
certificates?<br>
and how to solve the problem - this is the question.</p>
<p>Laba Mikhail<br>
</p>
<p>
</p>
</body>
</html>