<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-AU link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>Hello Mikhail,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>If you are still just learning for yourself by experimenting and local circuit testing.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>Then it really might help you to properly generate your own self signed certificates.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>If you can search out how to do this yourself and to do just only that consistently.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>Then you would be in a significantly better position in many other respects here.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>I can tell you there is enough information around on the web to help you do this.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>I can tell you I failed myself on my very first and several successive attempts.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>I can tell you it is very simple and very easy once you find how to do this.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>Alex<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'> Users [mailto:users-bounces@lists.opensips.org] <b>On Behalf Of </b>Mikhail<br><b>Sent:</b> Monday, 29 April 2019 8:52 PM<br><b>To:</b> users@lists.opensips.org<br><b>Subject:</b> [OpenSIPS-Users] ERROR:tls_mgm:load_certificate: unable to load certificate<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p>Hello,<o:p></o:p></p><p>I have a problem with wss set up.<o:p></o:p></p><p>My steps:<br>set up centos 7<br>install opensips 2.4.5 from yum repo<br>install nginx and create certificate with letsencript<br>certbot certonly --standalone --agree-tos --email <a href="mailto:myemail@mysite.com" title="myemail@mysite.com">myemail@mysite.com</a> --webroot -w /opt/www/ws -d ws.mysite.com<o:p></o:p></p><p>then I have 4 files in /etc/letsencrypt/live/ws.mysite.com<br>cert.pem chain.pem fullchain.pem privkey.pem <o:p></o:p></p><p>in opensips.cfg i added<br>listen=<a href="ws:ws.mysite.com:8088">ws:ws.mysite.com:8088</a><br>listen=<a href="wss:ws.mysite.com:8443">wss:ws.mysite.com:8443</a><br>loadmodule "proto_wss.so"<br>loadmodule "proto_ws.so"<br>loadmodule "proto_tls.so"<br>loadmodule "tls_mgm.so"<br>modparam("tls_mgm", "certificate","/etc/letsencrypt/live/ws.mysite.com/fullchain.pem")<br>modparam("tls_mgm", "private_key","/etc/letsencrypt/live/ws.mysite.com/privkey.pem")<br>modparam("tls_mgm", "verify_cert", "0")<br>modparam("tls_mgm", "require_cert", "0")<o:p></o:p></p><p>when I restart opensips it fails with messages<o:p></o:p></p><p>Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: <a href="INFO:tls_mgm:mod_init">INFO:tls_mgm:mod_init</a>: initializing TLS management<br>Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: <a href="INFO:tls_mgm:mod_init">INFO:tls_mgm:mod_init</a>: openssl version: OpenSSL 1.0.2k-fips 26 Jan 2017<br>Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: <a href="INFO:tls_mgm:mod_init">INFO:tls_mgm:mod_init</a>: disabling compression due ZLIB problems<br>Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: <a href="INFO:tls_mgm:check_for_krb">INFO:tls_mgm:check_for_krb</a>: KRB5 cipher KRB5-IDEA-CBC-SHA found<br>Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: <a href="INFO:tls_mgm:init_tls_dom">INFO:tls_mgm:init_tls_dom</a>: Processing TLS domain 'default'<br>Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: <a href="INFO:tls_mgm:init_ssl_ctx_behavior">INFO:tls_mgm:init_ssl_ctx_behavior</a>: client verification NOT activated. Weaker security.<br>Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: ERROR:tls_mgm:load_certificate: unable to load certificate file '/etc/letsencrypt/live/ws.mysite.com/fullchain.pem'<br>Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'<br>Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: ERROR:core:init_mod: failed to initialize module tls_mgm<o:p></o:p></p><p>I tried different combitations of tls_mgm params - verify_cert require_cert tls_method without success,<br>by the way I found that tls_mgm dos'n know SSLv2 and SSLv3 - tls_methods: ERROR:tls_mgm:tlsp_set_method: unsupported method [SSLv2], but they are in doc at <a href="https://opensips.org/html/docs/modules/2.2.x/tls_mgm.html#idp169376">https://opensips.org/html/docs/modules/2.2.x/tls_mgm.html#idp169376</a><o:p></o:p></p><p>I tried to make custom serificates according to <a href="https://www.opensips.org/Documentation/Tutorials-TLS-2-2" title="https://www.opensips.org/Documentation/Tutorials-TLS-2-2">https://www.opensips.org/Documentation/Tutorials-TLS-2-2</a> with no luck<br>#modparam("tls_mgm", "certificate", "/root/tls_cnf/tls/user/user-cert.pem")<br>#modparam("tls_mgm", "private_key", "/root/tls_cnf/tls/user/user-privkey.pem")<br>#modparam("tls_mgm", "ca_list", "/root/tls_cnf/tls/user/user-calist.pem")<o:p></o:p></p><p>and I tried built in sertificats:<br>#modparam("tls_mgm", "certificate", "/etc/opensips/tls/user/user-cert.pem")<br>#modparam("tls_mgm", "private_key", "/etc/opensips/tls/user/user-privkey.pem")<br>#modparam("tls_mgm", "ca_list", "/etc/opensips/tls/user/user-calist.pem")<br>and with them opensips starts successfully, but webrtc clients based on jsip and sip.js libs can't connect:<br>opensips.log:<br>/usr/sbin/opensips[30683]: ERROR:proto_<a href="wss:tls_accept">wss:tls_accept</a>: New TLS connection from 111.111.111.111:41720 failed to accept<br>/usr/sbin/opensips[30683]: ERROR:proto_<a href="wss:tls_print_errstack">wss:tls_print_errstack</a>: TLS errstack: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown<br>/usr/sbin/opensips[30683]: ERROR:proto_<a href="wss:wss_read_req">wss:wss_read_req</a>: cannot fix read connection<o:p></o:p></p><p>latest google chrome (74.0.3729.108) log:<br>sip-0.13.8.js:26437 WebSocket connection to 'wss://ws.mysite.com:8443/' failed: Error in connection establishment: net::ERR_CERT_AUTHORITY_INVALID<o:p></o:p></p><p>I looked into sources and found that tls_mgm just calls openssl funcion SSL_CTX_use_certificate_chain_file so it looks like that problem is in openssl, but openssl is the latest from repo - OpenSSL 1.0.2k-fips<br>I tested serts with<br>openssl x509 -in /etc/letsencrypt/live/ws.mysite.com/fullchain.pem -text<br>and see no problem<br>I set up https site and browsers open it and show cert as ok.<o:p></o:p></p><p>so what is the difference between built in and letsencript certificates?<br>and how to solve the problem - this is the question.<o:p></o:p></p><p>Laba Mikhail<o:p></o:p></p></div></body></html>