Re: [OpenSIPS-Users] Stir Shaken: Failed to load certificate
I found another way.
I already use ansible to deploy all configurations (exactly, I load a
specific route, with private key) because I like to split configuration.
So I just added my private key in configuration, but this key is encrypted
in ansible template.
very simple ;)
*man_private_key.cfg:*
route[man_private_key]
{
$avp(privKey) = "-BEGIN EC PRIVATE KEY-
AA
-END EC PRIVATE KEY-";
}
*routing.cfg:*
route {
route(man_private_key);
...
route(stir_and_shaken);
...
*stir_and_shaken.cfg:*
...
$var(cert) = $sql_cached_value(man_certificates_cache:certificate:https://
certs.example.org/public_am.pem);
stir_shaken_auth("$var(attest)","blabla","$var(cert)","$avp(privKey)",
"https://certs.example.org/public_am.pem","$var(orig)","$tU",
"$var(identity_hdr)");
...
++
Le mar. 30 mai 2023 à 10:34, Mickael Hubert a écrit :
> Thanks a lot Wadii for your answer
> I already use sqlcacher for all public keys, but for my private key, I
> want to store it securely (maybe crypted it, if I use a DB)
> for your needs, you catch your private key with rest_client.so, right ? In
> France we get all keys thanks to the French state's central API, and this
> API is protected by Oauth2 authentication, so I think use an external dev.
> ++
>
>
> Le lun. 29 mai 2023 à 17:01, Wadii ELMAJDI | Evenmedia
> a écrit :
>
>> Hello Mickael
>>
>> if the goal is only to keep your key out of opensips plain sight, the
>> simplest way is using exec.so module, load the private key from a local
>> file or an external data source with an external command, and then store it
>> securely in the local cache for future calls stirshaken signing.
>>
>> you could also use the rest_client.so module and get your key/certificate
>> from a secure external webservice (my personal fav)
>>
>> another option is avpops module to get your private key from a sql
>> database on demand (or sqlcacher to full cache your table on script startup)
>>
>> in case you're considering using the avpops module with its default
>> table, the value column can by default only hold 128 characters. for an RSA
>> private key in PEM format, it can go up to 800 chars.
>>
>> hope this helps
>>
>>
>>
>> *De :* Users *De la part de* Mickael
>> Hubert
>> *Envoyé :* lundi 29 mai 2023 14:55
>> *À :* OpenSIPS users mailling list
>> *Objet :* Re: [OpenSIPS-Users] Stir Shaken: Failed to load certificate
>>
>>
>>
>> Hi,
>>
>> Can you tell me what is the best way to load our private key please ?
>>
>> It would be great not to have it as clear text in
>> opensips's configuration.
>>
>>
>>
>> thanks in advance
>>
>>
>>
>> Le lun. 21 nov. 2022 à 13:39, ryan embgrets a
>> écrit :
>>
>> That was it.
>>
>>
>>
>> Working flawlessly.Thanks Vlad Patrascu
>>
>> Ryan
>>
>>
>>
>> On Mon, 21 Nov 2022 at 17:24, Vlad Patrascu wrote:
>>
>> Hi Ryan,
>>
>> You have to provide to the stir_shaken_auth() function the actual
>> content of the certificate file and not just the path. The same goes for
>> the private key.
>>
>> Regards,
>>
>> --
>> Vlad Patrascu
>> OpenSIPS Core Developer
>> http://www.opensips-solutions.com
>>
>> On 21.11.2022 14:02, ryan embgrets wrote:
>> > Greetings
>> >
>> > I am trying to generate an Identity header by using the stir_shaken
>> > module of the opensips.
>> >
>> > But I am encountering the below error each time upon call.
>> >
>> > Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
>> > ERROR:stir_shaken:w_stir_verify: Failed to load certificate
>> > Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
>> > ERROR:stir_shaken:load_cert: Failed to parse certificate
>> >
>> > #Module section.
>> > loadmodule "stir_shaken.so"
>> >
>> > route{
>> >
>> > $var(cert) = "/etc/opensips/certs.pem";
>> >$var(privKey) = "/etc/opensips/key.pem";
>> > stir_shaken_auth("A", "",$var(cert), $var(privKey),
>> > "https://domain.org/cert.pem;);
>> > }
>> >
>> > Though the cert looks valid, has proper permission for the opensips to
>> > access them and cross checked with openssl for the verification.
>> >
>> > Any pointer on what might be causing this?
>> >
>> > Ryan
>> >
>> > ___
>> > Users mailing list
>> > Users@lists.opensips.org
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> ___
>> Users mailing list
>> Users@lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> ___
>> Users mailing list
>> Users@lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> ___
>> Users mailing list
>> Users@lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Stir Shaken: Failed to load certificate
Thanks a lot Wadii for your answer
I already use sqlcacher for all public keys, but for my private key, I want
to store it securely (maybe crypted it, if I use a DB)
for your needs, you catch your private key with rest_client.so, right ? In
France we get all keys thanks to the French state's central API, and this
API is protected by Oauth2 authentication, so I think use an external dev.
++
Le lun. 29 mai 2023 à 17:01, Wadii ELMAJDI | Evenmedia
a écrit :
> Hello Mickael
>
> if the goal is only to keep your key out of opensips plain sight, the
> simplest way is using exec.so module, load the private key from a local
> file or an external data source with an external command, and then store it
> securely in the local cache for future calls stirshaken signing.
>
> you could also use the rest_client.so module and get your key/certificate
> from a secure external webservice (my personal fav)
>
> another option is avpops module to get your private key from a sql
> database on demand (or sqlcacher to full cache your table on script startup)
>
> in case you're considering using the avpops module with its default table,
> the value column can by default only hold 128 characters. for an RSA
> private key in PEM format, it can go up to 800 chars.
>
> hope this helps
>
>
>
> *De :* Users *De la part de* Mickael
> Hubert
> *Envoyé :* lundi 29 mai 2023 14:55
> *À :* OpenSIPS users mailling list
> *Objet :* Re: [OpenSIPS-Users] Stir Shaken: Failed to load certificate
>
>
>
> Hi,
>
> Can you tell me what is the best way to load our private key please ?
>
> It would be great not to have it as clear text in opensips's configuration.
>
>
>
> thanks in advance
>
>
>
> Le lun. 21 nov. 2022 à 13:39, ryan embgrets a
> écrit :
>
> That was it.
>
>
>
> Working flawlessly.Thanks Vlad Patrascu
>
> Ryan
>
>
>
> On Mon, 21 Nov 2022 at 17:24, Vlad Patrascu wrote:
>
> Hi Ryan,
>
> You have to provide to the stir_shaken_auth() function the actual
> content of the certificate file and not just the path. The same goes for
> the private key.
>
> Regards,
>
> --
> Vlad Patrascu
> OpenSIPS Core Developer
> http://www.opensips-solutions.com
>
> On 21.11.2022 14:02, ryan embgrets wrote:
> > Greetings
> >
> > I am trying to generate an Identity header by using the stir_shaken
> > module of the opensips.
> >
> > But I am encountering the below error each time upon call.
> >
> > Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
> > ERROR:stir_shaken:w_stir_verify: Failed to load certificate
> > Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
> > ERROR:stir_shaken:load_cert: Failed to parse certificate
> >
> > #Module section.
> > loadmodule "stir_shaken.so"
> >
> > route{
> >
> > $var(cert) = "/etc/opensips/certs.pem";
> >$var(privKey) = "/etc/opensips/key.pem";
> > stir_shaken_auth("A", "",$var(cert), $var(privKey),
> > "https://domain.org/cert.pem;);
> > }
> >
> > Though the cert looks valid, has proper permission for the opensips to
> > access them and cross checked with openssl for the verification.
> >
> > Any pointer on what might be causing this?
> >
> > Ryan
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Stir Shaken: Failed to load certificate
Hello Mickael
if the goal is only to keep your key out of opensips plain sight, the simplest
way is using exec.so module, load the private key from a local file or an
external data source with an external command, and then store it securely in
the local cache for future calls stirshaken signing.
you could also use the rest_client.so module and get your key/certificate from
a secure external webservice (my personal fav)
another option is avpops module to get your private key from a sql database on
demand (or sqlcacher to full cache your table on script startup)
in case you're considering using the avpops module with its default table, the
value column can by default only hold 128 characters. for an RSA private key in
PEM format, it can go up to 800 chars.
hope this helps
De : Users De la part de Mickael Hubert
Envoyé : lundi 29 mai 2023 14:55
À : OpenSIPS users mailling list
Objet : Re: [OpenSIPS-Users] Stir Shaken: Failed to load certificate
Hi,
Can you tell me what is the best way to load our private key please ?
It would be great not to have it as clear text in opensips's configuration.
thanks in advance
Le lun. 21 nov. 2022 à 13:39, ryan embgrets
mailto:rembgr...@gmail.com>> a écrit :
That was it.
Working flawlessly.Thanks Vlad Patrascu
Ryan
On Mon, 21 Nov 2022 at 17:24, Vlad Patrascu
mailto:vl...@opensips.org>> wrote:
Hi Ryan,
You have to provide to the stir_shaken_auth() function the actual
content of the certificate file and not just the path. The same goes for
the private key.
Regards,
--
Vlad Patrascu
OpenSIPS Core Developer
http://www.opensips-solutions.com
On 21.11.2022 14:02, ryan embgrets wrote:
> Greetings
>
> I am trying to generate an Identity header by using the stir_shaken
> module of the opensips.
>
> But I am encountering the below error each time upon call.
>
> Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
> ERROR:stir_shaken:w_stir_verify: Failed to load certificate
> Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
> ERROR:stir_shaken:load_cert: Failed to parse certificate
>
> #Module section.
> loadmodule "stir_shaken.so"
>
> route{
>
> $var(cert) = "/etc/opensips/certs.pem";
>$var(privKey) = "/etc/opensips/key.pem";
> stir_shaken_auth("A", "",$var(cert), $var(privKey),
> "https://domain.org/cert.pem;);
> }
>
> Though the cert looks valid, has proper permission for the opensips to
> access them and cross checked with openssl for the verification.
>
> Any pointer on what might be causing this?
>
> Ryan
>
> ___
> Users mailing list
> Users@lists.opensips.org<mailto:Users@lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
___
Users mailing list
Users@lists.opensips.org<mailto:Users@lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
___
Users mailing list
Users@lists.opensips.org<mailto:Users@lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Stir Shaken: Failed to load certificate
Hi,
Can you tell me what is the best way to load our private key please ?
It would be great not to have it as clear text in opensips's configuration.
thanks in advance
Le lun. 21 nov. 2022 à 13:39, ryan embgrets a écrit :
> That was it.
>
> Working flawlessly.Thanks Vlad Patrascu
>
> Ryan
>
> On Mon, 21 Nov 2022 at 17:24, Vlad Patrascu wrote:
>
>> Hi Ryan,
>>
>> You have to provide to the stir_shaken_auth() function the actual
>> content of the certificate file and not just the path. The same goes for
>> the private key.
>>
>> Regards,
>>
>> --
>> Vlad Patrascu
>> OpenSIPS Core Developer
>> http://www.opensips-solutions.com
>>
>> On 21.11.2022 14:02, ryan embgrets wrote:
>> > Greetings
>> >
>> > I am trying to generate an Identity header by using the stir_shaken
>> > module of the opensips.
>> >
>> > But I am encountering the below error each time upon call.
>> >
>> > Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
>> > ERROR:stir_shaken:w_stir_verify: Failed to load certificate
>> > Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
>> > ERROR:stir_shaken:load_cert: Failed to parse certificate
>> >
>> > #Module section.
>> > loadmodule "stir_shaken.so"
>> >
>> > route{
>> >
>> > $var(cert) = "/etc/opensips/certs.pem";
>> >$var(privKey) = "/etc/opensips/key.pem";
>> > stir_shaken_auth("A", "",$var(cert), $var(privKey),
>> > "https://domain.org/cert.pem;);
>> > }
>> >
>> > Though the cert looks valid, has proper permission for the opensips to
>> > access them and cross checked with openssl for the verification.
>> >
>> > Any pointer on what might be causing this?
>> >
>> > Ryan
>> >
>> > ___
>> > Users mailing list
>> > Users@lists.opensips.org
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> ___
>> Users mailing list
>> Users@lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Stir Shaken: Failed to load certificate
That was it.
Working flawlessly.Thanks Vlad Patrascu
Ryan
On Mon, 21 Nov 2022 at 17:24, Vlad Patrascu wrote:
> Hi Ryan,
>
> You have to provide to the stir_shaken_auth() function the actual
> content of the certificate file and not just the path. The same goes for
> the private key.
>
> Regards,
>
> --
> Vlad Patrascu
> OpenSIPS Core Developer
> http://www.opensips-solutions.com
>
> On 21.11.2022 14:02, ryan embgrets wrote:
> > Greetings
> >
> > I am trying to generate an Identity header by using the stir_shaken
> > module of the opensips.
> >
> > But I am encountering the below error each time upon call.
> >
> > Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
> > ERROR:stir_shaken:w_stir_verify: Failed to load certificate
> > Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
> > ERROR:stir_shaken:load_cert: Failed to parse certificate
> >
> > #Module section.
> > loadmodule "stir_shaken.so"
> >
> > route{
> >
> > $var(cert) = "/etc/opensips/certs.pem";
> >$var(privKey) = "/etc/opensips/key.pem";
> > stir_shaken_auth("A", "",$var(cert), $var(privKey),
> > "https://domain.org/cert.pem;);
> > }
> >
> > Though the cert looks valid, has proper permission for the opensips to
> > access them and cross checked with openssl for the verification.
> >
> > Any pointer on what might be causing this?
> >
> > Ryan
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Stir Shaken: Failed to load certificate
Hi Ryan,
You have to provide to the stir_shaken_auth() function the actual
content of the certificate file and not just the path. The same goes for
the private key.
Regards,
--
Vlad Patrascu
OpenSIPS Core Developer
http://www.opensips-solutions.com
On 21.11.2022 14:02, ryan embgrets wrote:
Greetings
I am trying to generate an Identity header by using the stir_shaken
module of the opensips.
But I am encountering the below error each time upon call.
Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
ERROR:stir_shaken:w_stir_verify: Failed to load certificate
Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
ERROR:stir_shaken:load_cert: Failed to parse certificate
#Module section.
loadmodule "stir_shaken.so"
route{
$var(cert) = "/etc/opensips/certs.pem";
$var(privKey) = "/etc/opensips/key.pem";
stir_shaken_auth("A", "",$var(cert), $var(privKey),
"https://domain.org/cert.pem;);
}
Though the cert looks valid, has proper permission for the opensips to
access them and cross checked with openssl for the verification.
Any pointer on what might be causing this?
Ryan
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
[OpenSIPS-Users] Stir Shaken: Failed to load certificate
Greetings
I am trying to generate an Identity header by using the stir_shaken module
of the opensips.
But I am encountering the below error each time upon call.
Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
ERROR:stir_shaken:w_stir_verify: Failed to load certificate
Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
ERROR:stir_shaken:load_cert: Failed to parse certificate
#Module section.
loadmodule "stir_shaken.so"
route{
$var(cert) = "/etc/opensips/certs.pem";
$var(privKey) = "/etc/opensips/key.pem";
stir_shaken_auth("A", "",$var(cert), $var(privKey), "
https://domain.org/cert.pem;);
}
Though the cert looks valid, has proper permission for the opensips to
access them and cross checked with openssl for the verification.
Any pointer on what might be causing this?
Ryan
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
