date:20210201

Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error

2021-02-01 Thread Ruisheng Peng

Thanks Sean for the note.  It does look Selinux might have a hand in the
pot.   I did try with selinux permission set to permissive and it made no
difference though.  Keeping configuration related stuff under /etc/asterisk
seems to help.

--Ruisheng

On Mon, Feb 1, 2021 at 8:09 AM Sean Bright  wrote:

> Hi,
>
> On 1/26/2021 3:12 PM, Ruisheng Peng wrote:
>
> Transport: transport-tls: cert_file /home/asterisk/certs/asterisk.crt is
> either missing or not readable
>
>
> This error means that the file either does not exist or that Asterisk is
> not able to open it for reading. In your case it looks like the file exists
> so the Asterisk process was not able to read the file (this could be
> permissions or SELinux or whatever other reason). It never gets to actually
> trying to parse it as a certificate.
>
> The subsequent message mentioning "at line 24 of" is just a bug in the
> configuration framework, it is not referring to line 24 of the certificate
> file.
>
> Kind regards,
> Sean
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error

2021-02-01 Thread Ruisheng Peng

Michael,

  There weren't any open or openat actions on the cert files (located under
/home/asterisk/certs).  The same is true for cert files located under
/etc/asterisk/keys:

24138 stat("/etc/asterisk/keys/fullchain.pem", {st_mode=S_IFREG|0640,
st_size=34

44, ...}) = 0

24138 geteuid() = 1002

24138 getegid() = 1002

24138 getuid()  = 1002

24138 getgid()  = 1002

24138 access("/etc/asterisk/keys/fullchain.pem", R_OK) = 0

24138 stat("/etc/asterisk/keys/privkey.pem", {st_mode=S_IFREG|0640,
st_size=1704

, ...}) = 0

24138 geteuid() = 1002

24138 getegid() = 1002

24138 getuid()  = 1002

24138 getgid()  = 1002

24138 access("/etc/asterisk/keys/privkey.pem", R_OK) = 0

24138 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16

24138 setsockopt(16, SOL_SOCKET, 0x /* SO_??? */, [1], 4) = -1
ENOPROTOOPT (

Protocol not available)

24138 setsockopt(16, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0

24138 setsockopt(16, SOL_TCP, TCP_NODELAY, [1], 4) = 0

24138 bind(16, {sa_family=AF_INET, sin_port=htons(5061),
sin_addr=inet_addr("0.0

.0.0")}, 16) = 0

24138 listen(16, 5) = 0

24138 ioctl(16, FIONBIO, [1])   = 0

24138 getsockopt(16, SOL_SOCKET, SO_TYPE, [1], [4]) = 0

24138 epoll_ctl(11, EPOLL_CTL_ADD, 16, {EPOLLIN|EPOLLERR, {u32=23894976,
u64=238

94976}}) = 0

24138 accept(16, 0x1a765c0, [28])   = -1 EAGAIN (Resource temporarily
unavai

lable)

24138 getsockname(16, {sa_family=AF_INET, sin_port=htons(5061),
sin_addr=inet_ad

dr("0.0.0.0")}, [16]) = 0

In the latter case transport-tls was successfully established.

On Fri, Jan 29, 2021 at 9:42 PM Michael Maier  wrote:

>
> On 29.01.21 at 22:33 Ruisheng Peng wrote:
> > Thanks for the detailed explanation Michael.
> >
> > I stop the current asterisk process (started by systemd), and restart it
> as
> > asterisk:
> >
> > [asterisk@voip1 ~]$ strace -f -o /home/asterisk/strace.log asterisk -fmq
> > -vvv -C /etc/asterisk/asterisk.conf
> >
> >
> > from the log there was no attempt to even open the cert file.  I edited
> > /etc/asterisk/pjsip.conf to add a "method = tlsv1" line to the
> > transport-tls section. Rerun the strace command, and here the part re
> cert
> > files:
> >
> > 8189  stat("/home/asterisk/certs/asterisk.crt", {st_mode=S_IFREG|0640,
> > st_size=1
> >
> > 212, ...}) = 0
> >
> > 8189  geteuid() = 1002
> >
> > 8189  getegid() = 1002
> >
> > 8189  getuid()  = 1002
> >
> > 8189  getgid()  = 1002
> >
> > 8189  access("/home/asterisk/certs/asterisk.crt", R_OK) = 0
> >
> > 8189  stat("/home/asterisk/certs/asterisk.key", {st_mode=S_IFREG|0640,
> > st_size=8
> >
> > 91, ...}) = 0
> >
> > 8189  geteuid() = 1002
> >
> > 8189  getegid() = 1002
> >
> > 8189  getuid()  = 1002
> >
> > 8189  getgid()  = 1002
> >
> > 8189  access("/home/asterisk/certs/asterisk.key", R_OK) = 0
> >
> > 8189  socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16
> >
> > 8189  setsockopt(16, SOL_SOCKET, 0x /* SO_??? */, [1], 4) = -1
> > ENOPROTOOPT (
>
> I'm missing the "open" (or "openat") and the following "read" call -
> weren't there
> any or didn't you post them? These are the important calls! They will
> show, if the
> file is used at all or not (and possibly the reason, why it is not used -
> EACCESS
> e.g.).
>
>
> Thanks
> Michael
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error

2021-02-01 Thread Sean Bright


Hi,

On 1/26/2021 3:12 PM, Ruisheng Peng wrote:
Transport: transport-tls: cert_file 
/home/asterisk/certs/asterisk.crt is either missing or not readable


This error means that the file either does not exist or that Asterisk is 
not able to open it for reading. In your case it looks like the file 
exists so the Asterisk process was not able to read the file (this could 
be permissions or SELinux or whatever other reason). It never gets to 
actually trying to parse it as a certificate.


The subsequent message mentioning "at line 24 of" is just a bug in the 
configuration framework, it is not referring to line 24 of the 
certificate file.


Kind regards,
Sean
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error

Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error

Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error

3 matches

Site Navigation

Mail list logo

Footer information