beating around bushes, and finally seem to stomp on something that worked! Simply move the cert file locations from /home/asterisk/certs to /etc/asterisk/keys
[root@voip1 asterisk]# ls -l keys total 36 -rw-r-----. 1 asterisk asterisk 1212 Jan 29 14:18 asterisk.crt -rw-r-----. 1 asterisk asterisk 578 Jan 29 14:18 asterisk.csr -rw-r-----. 1 asterisk asterisk 891 Jan 29 14:18 asterisk.key -rw-r-----. 1 asterisk asterisk 2103 Jan 29 14:18 asterisk.pem -rw-r-----. 1 asterisk asterisk 1749 Jan 29 14:18 ca.crt -rw-r-----. 1 asterisk asterisk 3311 Jan 29 14:18 ca.key -rw-r-----. 1 asterisk asterisk 1923 Jan 29 14:18 cert.pem -rw-r-----. 1 asterisk asterisk 3570 Jan 29 14:18 fullchain.pem -rw-r-----. 1 asterisk asterisk 1704 Jan 29 14:18 privkey.pem and tls was established. With self-sign cert, I'd need to add ca_list_file in the transport-tls section in /etc/pjsip.conf for it to fly. [transport-tls] type = transport protocol = tls bind = 0.0.0.0:5061 ; ca_list_file = /etc/asterisk/keys/ca.crt ; cert_file = /etc/asterisk/keys/asterisk.crt ; priv_key_file = /etc/asterisk/keys/asterisk.key cert_file = /etc/asterisk/keys/fullchain.pem priv_key_file = /etc/asterisk/keys/privkey.pem method = tlsv1_2 allow_reload = true Not sure what was the nature of the problem. Maybe Selinux? There was no complaint from that department though. Thanks for the help and suggestions, --Ruisheng On Fri, Jan 29, 2021 at 11:33 AM Ruisheng Peng <rp...@ifa.hawaii.edu> wrote: > Thanks for the detailed explanation Michael. > > I stop the current asterisk process (started by systemd), and restart it > as asterisk: > > [asterisk@voip1 ~]$ strace -f -o /home/asterisk/strace.log asterisk -fmq > -vvv -C /etc/asterisk/asterisk.conf > > > from the log there was no attempt to even open the cert file. I edited > /etc/asterisk/pjsip.conf to add a "method = tlsv1" line to the > transport-tls section. Rerun the strace command, and here the part re cert > files: > > 8189 stat("/home/asterisk/certs/asterisk.crt", {st_mode=S_IFREG|0640, > st_size=1 > > 212, ...}) = 0 > > 8189 geteuid() = 1002 > > 8189 getegid() = 1002 > > 8189 getuid() = 1002 > > 8189 getgid() = 1002 > > 8189 access("/home/asterisk/certs/asterisk.crt", R_OK) = 0 > > 8189 stat("/home/asterisk/certs/asterisk.key", {st_mode=S_IFREG|0640, > st_size=8 > > 91, ...}) = 0 > > 8189 geteuid() = 1002 > > 8189 getegid() = 1002 > > 8189 getuid() = 1002 > > 8189 getgid() = 1002 > > 8189 access("/home/asterisk/certs/asterisk.key", R_OK) = 0 > > 8189 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16 > > 8189 setsockopt(16, SOL_SOCKET, 0xffff /* SO_??? */, [1], 4) = -1 > ENOPROTOOPT ( > > Protocol not available) > > 8189 setsockopt(16, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 > > 8189 setsockopt(16, SOL_TCP, TCP_NODELAY, [1], 4) = 0 > > The tls transport is not established in the end. Only the two hard phones > using udp transport and a softphone using tcp transport are registered. > > > Thanks, > > --Ruisheng > > > On Thu, Jan 28, 2021 at 7:42 PM Michael Maier <m1278...@mailbox.org> > wrote: > >> >> On 27.01.21 at 22:57 Ruisheng Peng wrote: >> > Thanks Michael for the suggestion! I've installed strace and assigned >> one >> > of the endpoints (SOFTPHONE_B) to use transport-tls. Then run strace (as >> > user asterisk): >> > >> > [asterisk@voip1 ~]$ strace asterisk -rx "module reload res_pjsip.so" >> >> You should use strace like this as root and from the very beginning of >> the start >> of asterisk: >> >> strace -f -o /tmp/strace.log asterisk -vvv -mqf -C >> /etc/asterisk/asterisk.conf >> >> -f means, to follow even forked processes, ... (see man page) >> -o writes all the output to a file. You can search afterwards pretty >> easily for >> the file (or the open call). >> >> You shouldn't do this in production but in the test environment! >> >> You have to run it as long as the error has happened. >> >> >> Thanks >> Michael >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> >>
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users