Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
Thanks Sean for the note. It does look Selinux might have a hand in the pot. I did try with selinux permission set to permissive and it made no difference though. Keeping configuration related stuff under /etc/asterisk seems to help. --Ruisheng On Mon, Feb 1, 2021 at 8:09 AM Sean Bright wrote: > Hi, > > On 1/26/2021 3:12 PM, Ruisheng Peng wrote: > > Transport: transport-tls: cert_file /home/asterisk/certs/asterisk.crt is > either missing or not readable > > > This error means that the file either does not exist or that Asterisk is > not able to open it for reading. In your case it looks like the file exists > so the Asterisk process was not able to read the file (this could be > permissions or SELinux or whatever other reason). It never gets to actually > trying to parse it as a certificate. > > The subsequent message mentioning "at line 24 of" is just a bug in the > configuration framework, it is not referring to line 24 of the certificate > file. > > Kind regards, > Sean > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
Michael, There weren't any open or openat actions on the cert files (located under /home/asterisk/certs). The same is true for cert files located under /etc/asterisk/keys: 24138 stat("/etc/asterisk/keys/fullchain.pem", {st_mode=S_IFREG|0640, st_size=34 44, ...}) = 0 24138 geteuid() = 1002 24138 getegid() = 1002 24138 getuid() = 1002 24138 getgid() = 1002 24138 access("/etc/asterisk/keys/fullchain.pem", R_OK) = 0 24138 stat("/etc/asterisk/keys/privkey.pem", {st_mode=S_IFREG|0640, st_size=1704 , ...}) = 0 24138 geteuid() = 1002 24138 getegid() = 1002 24138 getuid() = 1002 24138 getgid() = 1002 24138 access("/etc/asterisk/keys/privkey.pem", R_OK) = 0 24138 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16 24138 setsockopt(16, SOL_SOCKET, 0x /* SO_??? */, [1], 4) = -1 ENOPROTOOPT ( Protocol not available) 24138 setsockopt(16, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 24138 setsockopt(16, SOL_TCP, TCP_NODELAY, [1], 4) = 0 24138 bind(16, {sa_family=AF_INET, sin_port=htons(5061), sin_addr=inet_addr("0.0 .0.0")}, 16) = 0 24138 listen(16, 5) = 0 24138 ioctl(16, FIONBIO, [1]) = 0 24138 getsockopt(16, SOL_SOCKET, SO_TYPE, [1], [4]) = 0 24138 epoll_ctl(11, EPOLL_CTL_ADD, 16, {EPOLLIN|EPOLLERR, {u32=23894976, u64=238 94976}}) = 0 24138 accept(16, 0x1a765c0, [28]) = -1 EAGAIN (Resource temporarily unavai lable) 24138 getsockname(16, {sa_family=AF_INET, sin_port=htons(5061), sin_addr=inet_ad dr("0.0.0.0")}, [16]) = 0 In the latter case transport-tls was successfully established. On Fri, Jan 29, 2021 at 9:42 PM Michael Maier wrote: > > On 29.01.21 at 22:33 Ruisheng Peng wrote: > > Thanks for the detailed explanation Michael. > > > > I stop the current asterisk process (started by systemd), and restart it > as > > asterisk: > > > > [asterisk@voip1 ~]$ strace -f -o /home/asterisk/strace.log asterisk -fmq > > -vvv -C /etc/asterisk/asterisk.conf > > > > > > from the log there was no attempt to even open the cert file. I edited > > /etc/asterisk/pjsip.conf to add a "method = tlsv1" line to the > > transport-tls section. Rerun the strace command, and here the part re > cert > > files: > > > > 8189 stat("/home/asterisk/certs/asterisk.crt", {st_mode=S_IFREG|0640, > > st_size=1 > > > > 212, ...}) = 0 > > > > 8189 geteuid() = 1002 > > > > 8189 getegid() = 1002 > > > > 8189 getuid() = 1002 > > > > 8189 getgid() = 1002 > > > > 8189 access("/home/asterisk/certs/asterisk.crt", R_OK) = 0 > > > > 8189 stat("/home/asterisk/certs/asterisk.key", {st_mode=S_IFREG|0640, > > st_size=8 > > > > 91, ...}) = 0 > > > > 8189 geteuid() = 1002 > > > > 8189 getegid() = 1002 > > > > 8189 getuid() = 1002 > > > > 8189 getgid() = 1002 > > > > 8189 access("/home/asterisk/certs/asterisk.key", R_OK) = 0 > > > > 8189 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16 > > > > 8189 setsockopt(16, SOL_SOCKET, 0x /* SO_??? */, [1], 4) = -1 > > ENOPROTOOPT ( > > I'm missing the "open" (or "openat") and the following "read" call - > weren't there > any or didn't you post them? These are the important calls! They will > show, if the > file is used at all or not (and possibly the reason, why it is not used - > EACCESS > e.g.). > > > Thanks > Michael > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
Hi, On 1/26/2021 3:12 PM, Ruisheng Peng wrote: Transport: transport-tls: cert_file /home/asterisk/certs/asterisk.crt is either missing or not readable This error means that the file either does not exist or that Asterisk is not able to open it for reading. In your case it looks like the file exists so the Asterisk process was not able to read the file (this could be permissions or SELinux or whatever other reason). It never gets to actually trying to parse it as a certificate. The subsequent message mentioning "at line 24 of" is just a bug in the configuration framework, it is not referring to line 24 of the certificate file. Kind regards, Sean -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
On 29.01.21 at 22:33 Ruisheng Peng wrote: Thanks for the detailed explanation Michael. I stop the current asterisk process (started by systemd), and restart it as asterisk: [asterisk@voip1 ~]$ strace -f -o /home/asterisk/strace.log asterisk -fmq -vvv -C /etc/asterisk/asterisk.conf from the log there was no attempt to even open the cert file. I edited /etc/asterisk/pjsip.conf to add a "method = tlsv1" line to the transport-tls section. Rerun the strace command, and here the part re cert files: 8189 stat("/home/asterisk/certs/asterisk.crt", {st_mode=S_IFREG|0640, st_size=1 212, ...}) = 0 8189 geteuid() = 1002 8189 getegid() = 1002 8189 getuid() = 1002 8189 getgid() = 1002 8189 access("/home/asterisk/certs/asterisk.crt", R_OK) = 0 8189 stat("/home/asterisk/certs/asterisk.key", {st_mode=S_IFREG|0640, st_size=8 91, ...}) = 0 8189 geteuid() = 1002 8189 getegid() = 1002 8189 getuid() = 1002 8189 getgid() = 1002 8189 access("/home/asterisk/certs/asterisk.key", R_OK) = 0 8189 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16 8189 setsockopt(16, SOL_SOCKET, 0x /* SO_??? */, [1], 4) = -1 ENOPROTOOPT ( I'm missing the "open" (or "openat") and the following "read" call - weren't there any or didn't you post them? These are the important calls! They will show, if the file is used at all or not (and possibly the reason, why it is not used - EACCESS e.g.). Thanks Michael -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
beating around bushes, and finally seem to stomp on something that worked! Simply move the cert file locations from /home/asterisk/certs to /etc/asterisk/keys [root@voip1 asterisk]# ls -l keys total 36 -rw-r-. 1 asterisk asterisk 1212 Jan 29 14:18 asterisk.crt -rw-r-. 1 asterisk asterisk 578 Jan 29 14:18 asterisk.csr -rw-r-. 1 asterisk asterisk 891 Jan 29 14:18 asterisk.key -rw-r-. 1 asterisk asterisk 2103 Jan 29 14:18 asterisk.pem -rw-r-. 1 asterisk asterisk 1749 Jan 29 14:18 ca.crt -rw-r-. 1 asterisk asterisk 3311 Jan 29 14:18 ca.key -rw-r-. 1 asterisk asterisk 1923 Jan 29 14:18 cert.pem -rw-r-. 1 asterisk asterisk 3570 Jan 29 14:18 fullchain.pem -rw-r-. 1 asterisk asterisk 1704 Jan 29 14:18 privkey.pem and tls was established. With self-sign cert, I'd need to add ca_list_file in the transport-tls section in /etc/pjsip.conf for it to fly. [transport-tls] type = transport protocol = tls bind = 0.0.0.0:5061 ; ca_list_file = /etc/asterisk/keys/ca.crt ; cert_file = /etc/asterisk/keys/asterisk.crt ; priv_key_file = /etc/asterisk/keys/asterisk.key cert_file = /etc/asterisk/keys/fullchain.pem priv_key_file = /etc/asterisk/keys/privkey.pem method = tlsv1_2 allow_reload = true Not sure what was the nature of the problem. Maybe Selinux? There was no complaint from that department though. Thanks for the help and suggestions, --Ruisheng On Fri, Jan 29, 2021 at 11:33 AM Ruisheng Peng wrote: > Thanks for the detailed explanation Michael. > > I stop the current asterisk process (started by systemd), and restart it > as asterisk: > > [asterisk@voip1 ~]$ strace -f -o /home/asterisk/strace.log asterisk -fmq > -vvv -C /etc/asterisk/asterisk.conf > > > from the log there was no attempt to even open the cert file. I edited > /etc/asterisk/pjsip.conf to add a "method = tlsv1" line to the > transport-tls section. Rerun the strace command, and here the part re cert > files: > > 8189 stat("/home/asterisk/certs/asterisk.crt", {st_mode=S_IFREG|0640, > st_size=1 > > 212, ...}) = 0 > > 8189 geteuid() = 1002 > > 8189 getegid() = 1002 > > 8189 getuid() = 1002 > > 8189 getgid() = 1002 > > 8189 access("/home/asterisk/certs/asterisk.crt", R_OK) = 0 > > 8189 stat("/home/asterisk/certs/asterisk.key", {st_mode=S_IFREG|0640, > st_size=8 > > 91, ...}) = 0 > > 8189 geteuid() = 1002 > > 8189 getegid() = 1002 > > 8189 getuid() = 1002 > > 8189 getgid() = 1002 > > 8189 access("/home/asterisk/certs/asterisk.key", R_OK) = 0 > > 8189 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16 > > 8189 setsockopt(16, SOL_SOCKET, 0x /* SO_??? */, [1], 4) = -1 > ENOPROTOOPT ( > > Protocol not available) > > 8189 setsockopt(16, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 > > 8189 setsockopt(16, SOL_TCP, TCP_NODELAY, [1], 4) = 0 > > The tls transport is not established in the end. Only the two hard phones > using udp transport and a softphone using tcp transport are registered. > > > Thanks, > > --Ruisheng > > > On Thu, Jan 28, 2021 at 7:42 PM Michael Maier > wrote: > >> >> On 27.01.21 at 22:57 Ruisheng Peng wrote: >> > Thanks Michael for the suggestion! I've installed strace and assigned >> one >> > of the endpoints (SOFTPHONE_B) to use transport-tls. Then run strace (as >> > user asterisk): >> > >> > [asterisk@voip1 ~]$ strace asterisk -rx "module reload res_pjsip.so" >> >> You should use strace like this as root and from the very beginning of >> the start >> of asterisk: >> >> strace -f -o /tmp/strace.log asterisk -vvv -mqf -C >> /etc/asterisk/asterisk.conf >> >> -f means, to follow even forked processes, ... (see man page) >> -o writes all the output to a file. You can search afterwards pretty >> easily for >> the file (or the open call). >> >> You shouldn't do this in production but in the test environment! >> >> You have to run it as long as the error has happened. >> >> >> Thanks >> Michael >> >> -- >> _ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >>http://lists.digium.com/mailman/listinfo/asterisk-users >> >> -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit:
Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
Thanks for the detailed explanation Michael. I stop the current asterisk process (started by systemd), and restart it as asterisk: [asterisk@voip1 ~]$ strace -f -o /home/asterisk/strace.log asterisk -fmq -vvv -C /etc/asterisk/asterisk.conf from the log there was no attempt to even open the cert file. I edited /etc/asterisk/pjsip.conf to add a "method = tlsv1" line to the transport-tls section. Rerun the strace command, and here the part re cert files: 8189 stat("/home/asterisk/certs/asterisk.crt", {st_mode=S_IFREG|0640, st_size=1 212, ...}) = 0 8189 geteuid() = 1002 8189 getegid() = 1002 8189 getuid() = 1002 8189 getgid() = 1002 8189 access("/home/asterisk/certs/asterisk.crt", R_OK) = 0 8189 stat("/home/asterisk/certs/asterisk.key", {st_mode=S_IFREG|0640, st_size=8 91, ...}) = 0 8189 geteuid() = 1002 8189 getegid() = 1002 8189 getuid() = 1002 8189 getgid() = 1002 8189 access("/home/asterisk/certs/asterisk.key", R_OK) = 0 8189 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16 8189 setsockopt(16, SOL_SOCKET, 0x /* SO_??? */, [1], 4) = -1 ENOPROTOOPT ( Protocol not available) 8189 setsockopt(16, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 8189 setsockopt(16, SOL_TCP, TCP_NODELAY, [1], 4) = 0 The tls transport is not established in the end. Only the two hard phones using udp transport and a softphone using tcp transport are registered. Thanks, --Ruisheng On Thu, Jan 28, 2021 at 7:42 PM Michael Maier wrote: > > On 27.01.21 at 22:57 Ruisheng Peng wrote: > > Thanks Michael for the suggestion! I've installed strace and assigned > one > > of the endpoints (SOFTPHONE_B) to use transport-tls. Then run strace (as > > user asterisk): > > > > [asterisk@voip1 ~]$ strace asterisk -rx "module reload res_pjsip.so" > > You should use strace like this as root and from the very beginning of the > start > of asterisk: > > strace -f -o /tmp/strace.log asterisk -vvv -mqf -C > /etc/asterisk/asterisk.conf > > -f means, to follow even forked processes, ... (see man page) > -o writes all the output to a file. You can search afterwards pretty > easily for > the file (or the open call). > > You shouldn't do this in production but in the test environment! > > You have to run it as long as the error has happened. > > > Thanks > Michael > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
Thanks Stefan for the pointer. There isn't a /etc/ssl/openssl.cnf on the Centos7 box. There is a /etc/pki/tls/openssl.cnf, but there's no MinProtocol or CipherString defined there. I installed corebot (for Letsencrypt auto renewal) thru snap. The openssl.cnf that comes with snap (under /var/lib/snapd/snap/core/current/etc/ssl) is pretty similar to the one under /etc/pki/tls, in both lacking MinProtocol and CipherString definitions. [root@voip1 ~]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 if it helps with anything. Thanks, --Ruisheng On Fri, Jan 29, 2021 at 5:55 AM Stefan Tichy wrote: > On Tue, Jan 26, 2021 at 10:12:22AM -1000, Ruisheng Peng wrote: > > > The self-sign asterisk.crt: > > I saved that file in "x.crt". > > openssl x509 -in x.crt -noout -text > > >RSA Public-Key: (1024 bit) > > > > > > and Letsencrypt cert.pem: > > I saved that file in "y.crt". > > openssl x509 -in y.crt -noout -enddate > notAfter=Jan 29 01:24:25 2021 GMT > > > > There were a few mentions of this problem on the web, and one said > changing > > the security mode of the certs to 755 fixed his problem. > > That makes no sense. > > > > Which version of openssl ist used on that CentOS7 box ? > > In "/etc/ssl/openssl.cnf" you find something like this: > > MinProtocol = TLSv1.2 > CipherString = DEFAULT@SECLEVEL=2 > > You could set the level to "1" or even to "0" and restart Asterisk. > > > -- > Stefan Tichy > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
On Tue, Jan 26, 2021 at 10:12:22AM -1000, Ruisheng Peng wrote: > The self-sign asterisk.crt: I saved that file in "x.crt". openssl x509 -in x.crt -noout -text RSA Public-Key: (1024 bit) > and Letsencrypt cert.pem: I saved that file in "y.crt". openssl x509 -in y.crt -noout -enddate notAfter=Jan 29 01:24:25 2021 GMT > There were a few mentions of this problem on the web, and one said changing > the security mode of the certs to 755 fixed his problem. That makes no sense. Which version of openssl ist used on that CentOS7 box ? In "/etc/ssl/openssl.cnf" you find something like this: MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2 You could set the level to "1" or even to "0" and restart Asterisk. -- Stefan Tichy -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
On 29.01.21 at 06:41 Michael Maier wrote: On 27.01.21 at 22:57 Ruisheng Peng wrote: Thanks Michael for the suggestion! I've installed strace and assigned one of the endpoints (SOFTPHONE_B) to use transport-tls. Then run strace (as user asterisk): [asterisk@voip1 ~]$ strace asterisk -rx "module reload res_pjsip.so" You should use strace like this as root and from the very beginning of the start of asterisk: Sorry - my wrong - not necessarily as root - it should be started the same way and in the same context as it runs normally. strace -f -o /tmp/strace.log asterisk -vvv -mqf -C /etc/asterisk/asterisk.conf -f means, to follow even forked processes, ... (see man page) -o writes all the output to a file. You can search afterwards pretty easily for the file (or the open call). You shouldn't do this in production but in the test environment! You have to run it as long as the error has happened. Thanks Michael -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
On 27.01.21 at 22:57 Ruisheng Peng wrote: Thanks Michael for the suggestion! I've installed strace and assigned one of the endpoints (SOFTPHONE_B) to use transport-tls. Then run strace (as user asterisk): [asterisk@voip1 ~]$ strace asterisk -rx "module reload res_pjsip.so" You should use strace like this as root and from the very beginning of the start of asterisk: strace -f -o /tmp/strace.log asterisk -vvv -mqf -C /etc/asterisk/asterisk.conf -f means, to follow even forked processes, ... (see man page) -o writes all the output to a file. You can search afterwards pretty easily for the file (or the open call). You shouldn't do this in production but in the test environment! You have to run it as long as the error has happened. Thanks Michael -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
Thanks Michael for the suggestion! I've installed strace and assigned one of the endpoints (SOFTPHONE_B) to use transport-tls. Then run strace (as user asterisk): [asterisk@voip1 ~]$ strace asterisk -rx "module reload res_pjsip.so" execve("/usr/sbin/asterisk", ["asterisk", "-rx", "module reload res_pjsip.so"], 0x7fff2ec172a0 /* 18 vars */) = 0 brk(NULL) = 0x1a7e000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4802805000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=59200, ...}) = 0 mmap(NULL, 59200, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f48027f6000 close(3)= 0 open("/lib/libasteriskssl.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\n\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=799664, ...}) = 0 mmap(NULL, 2105504, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f48023e2000 mprotect(0x7f48023e4000, 2093056, PROT_NONE) = 0 mmap(0x7f48025e3000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f48025e3000 close(3)= 0 open("/lib/libasteriskpj.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300Y\3\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=8623248, ...}) = 0 mmap(NULL, 4169144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4801fe8000 mprotect(0x7f4802149000, 2093056, PROT_NONE) = 0 mmap(0x7f4802348000, 61440, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16) = 0x7f4802348000 mmap(0x7f4802357000, 568760, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f4802357000 close(3)= 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f48027f5000 open("/lib64/libxml2.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\351\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1509600, ...}) = 0 mmap(NULL, 3575896, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4801c7e000 mprotect(0x7f4801ddd000, 2093056, PROT_NONE) = 0 mmap(0x7f4801fdc000, 40960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15e000) = 0x7f4801fdc000 mmap(0x7f4801fe6000, 4184, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f4801fe6000 close(3)= 0 open("/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20!\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=90248, ...}) = 0 mmap(NULL, 2183272, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4801a68000 mprotect(0x7f4801a7d000, 2093056, PROT_NONE) = 0 mmap(0x7f4801c7c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14000) = 0x7f4801c7c000 close(3)= 0 open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0 mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4801864000 mprotect(0x7f4801866000, 2097152, PROT_NONE) = 0 mmap(0x7f4801a66000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f4801a66000 close(3)= 0 open("/lib64/libxslt.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\254\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=258344, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f48027f4000 mmap(NULL, 2351336, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4801625000 mprotect(0x7f4801661000, 2097152, PROT_NONE) = 0 mmap(0x7f4801861000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3c000) = 0x7f4801861000 mmap(0x7f4801863000, 232, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f4801863000 close(3)= 0 open("/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0PS\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1136944, ...}) = 0 mmap(NULL, 3150136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4801323000 mprotect(0x7f4801424000, 2093056, PROT_NONE) = 0 mmap(0x7f4801623000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10) = 0x7f4801623000 close(3)= 0 open("/lib64/libsqlite3.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\251\0\0\0\0\0\0"..., 832) = 832
Re: [asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
On 26.01.21 at 21:12 Ruisheng Peng wrote: > Hi, > > I'm experimenting with Asterisk-16.14.0 on a CentOS7 box, and run into > problems loading the SSL certificate to establish transport-tls. Tried > self-signed certificate generated with ast_tls_cert under contrib/scripts > and the one issued by Letsencrypt, both would bomb out with a parsing error: > > [Dec 3 15:47:50] ERROR[11233] res_pjsip/config_transport.c: Transport: > transport-tls: cert_file /home/asterisk/certs/asterisk.crt is either > missing or not readable It's missing or not readable! Take care, that the file access rights of the file and the complete path are ok. Do a strace to verify, if the file is really loaded at all. Michael -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users