Hi, This page here has probably most of the information required to get you back to a 'known' state, but basically (as root) run: mkdir $HOME/sslkeys cd $HOME/sslkeys /usr/bin/ssl-cert/gen-ssl-keys.sh
Then: /usr/bin/ssl-cert/install-cert.sh http://sipx-wiki.calivia.com/index.php/SSL_Certificates I am sure you probably have done that, but that is the process I have followed to put third party certs in. First I delete pretty much all the certs in the /etc/sipxpbx/ssl directories and run the above process. This page also has the process to convert DER certs to PEM certs which you need to do to install the third party CA certificates after saving them to file. The only part on this page that I think is missing is the generation of the java keystore which Jeff detailed in his instructions. The other thing that I think is missing from the instructions is around certificates that have intermediates. The certificate you install from my findings looks for the root or the signing authority and of course can't find it because there is an intermediate in between. So you need to put both the root and intermediate in the authorities folder, so you would end up potentially in that case of having two certs in the authorities folder for the third party cert and one in that folder for the self signed one that does the other stuff aside from the Web stuff (which is what I care about). You would also have three sym links in that folder too after doing the re-hash detailed by Scott (nice email address too Scott btw). Just another thing, I think I had to go and tweak the permissions on the certificates in the authorities directory after doing all of this, not a major though. The reason it is important to me is I want to give the user the best possible experience and I don't accept clicking on a SSL error on a web page to continue is a good experience, that's why I was/am so keen to get it sorted out. Mine so far works flawlessly that I can tell and I have rebooted and set PIN numbers from TUI etc and it all seems ok, I don't know what else to look at or check. Next for me will be doing the same using a MS CA so that it is easier to renew and set expiry dates out longer etc and of course less cost, however there could be implications for remote workers in this case which is something I haven't considered as it is outside the scope for me. Happy to work with someone to detail the instructions from start to finish and use real examples assuming it is tested and worked for others. Cheers Grant -----Original Message----- From: mkitchin.pub...@gmail.com [mailto:mkitchin.pub...@gmail.com] Sent: Thursday, 21 January 2010 7:45 a.m. To: Raymond Dans Cc: Scott Lawrence; Grant Lang; sipx-users@list.sipfoundry.org Subject: Re: [sipx-users] SSL Cert help I'm not sure exactly how to do that, so I guess I hadn't. How should I do that? The ssl script seems to indicate it is doing that (see below). On a side note, I just tried completely rerunning the sipx setup wizard. That didn't help. Same result. I realize my timing here is awful. I am desperate. We have training for 2 hours this afternoon, so I can't rebuild the system from scratch right now. I really don't want to do that if I don't have to. We were going to spend this evening staging all the handsets, but I obviously can't do that if I'm going to have to rebuild the system. This is a nightmare. It is 100% my fault. I was trying to squeeze in one more thing before we went into production, and obviously that was a horrible idea. ______________________________________________________________________ Generating Java Key Store Enter input keystore passphrase: Enter output keystore passphrase: Alias 0: nshpbx1.sipx.voip Adding key for alias nshpbx1.sipx.voip ______________________________________________________________________ Generating Java Trust Store Certificate was added to keystore On 1/20/2010 12:27 PM, Raymond Dans wrote: >> Subject: Re: [sipx-users] SSL Cert help >> >> I will be glad to listen to a whole bunch of "I told so", but >> I would greatly appreciate a little help first. >> I made a system backup, and backed up the SSL directories >> before trying any of this. I wanted to give an external SSL >> cert one more shot. It didn't work, so I went to revert back >> to a self signed cert. I follwed the same things I had done >> before. I ran /usr/bin/ssl-cert/gen-ssl-keys.sh and then >> /usr/bin/ssl-cert/install-cert.sh Most everything is ok, but I >> can't change the PIN from a phone. I restored from backup >> taken prior to any of this, and it didn't help. I get the >> errors below in mediaserver_cgi.log I have tried regenerating >> the certs a few times, and everything seems to go ok. Can >> someone help me get past this issue? I would greatly >> appreciate it and wil not tinker with ssl certs again until 4.2 :) >> >> >> "2010-01-20T16:53:40.411617Z":1:KERNEL:ERR:nshpbx1.sipx.voip:pi >> d-8800:23D69C30:mediaservercgi:"OsSSL::verifyCallback >> invalid certificate at depth 0\n error='unable to get >> local issuer >> certificate'\n >> issuer='/C=US/ST=AnyState/L=AnyTown/O=sipx.voip/OU=sipXecs/CN=c >> a.nshpbx1.sipx.voip/emailaddress=r...@nshpbx1.sipx.voip'\n >> subject='/C=US/ST=AnyState/L=AnyTown/O=sipx.voip/OU=sipXecs/CN= >> nshpbx1.sipx.voip/emailaddress=r...@nshpbx1.sipx.voip'" >> "2010-01-20T16:53:40.411754Z":2:KERNEL:ERR:nshpbx1.sipx.voip:pi >> d-8800:23D69C30:mediaservercgi:"OsSSLConnectionSocket >> SSL_connect failed: :\n SSL error: 1 >> 'error:00000001:lib(0):func(0):reason(1)'" >> "2010-01-20T16:53:40.411797Z":3:HTTP:ERR:nshpbx1.sipx.voip:pid- >> 8800:23D69C30:mediaservercgi:"HttpMessage::get[4] >> socket to 10.87.20.5:8101 not connected, retry 1 after 20ms" >> "2010-01-20T16:53:40.433197Z":4:KERNEL:ERR:nshpbx1.sipx.voip:pi >> d-8800:23D69C30:mediaservercgi:"OsSSL::verifyCallback >> invalid certificate at depth 0\n error='unable to get >> local issuer >> certificate'\n >> issuer='/C=US/ST=AnyState/L=AnyTown/O=sipx.voip/OU=sipXecs/CN=c >> a.nshpbx1.sipx.voip/emailaddress=r...@nshpbx1.sipx.voip'\n >> subject='/C=US/ST=AnyState/L=AnyTown/O=sipx.voip/OU=sipXecs/CN= >> nshpbx1.sipx.voip/emailaddress=r...@nshpbx1.sipx.voip'" >> "2010-01-20T16:53:40.433261Z":5:KERNEL:ERR:nshpbx1.sipx.voip:pi >> d-8800:23D69C30:mediaservercgi:"OsSSLConnectionSocket >> SSL_connect failed: :\n SSL error: 1 >> 'error:00000001:lib(0):func(0):reason(1)'" >> "2010-01-20T16:53:40.433289Z":6:HTTP:ERR:nshpbx1.sipx.voip:pid- >> 8800:23D69C30:mediaservercgi:"HttpMessage::get[4] >> socket to 10.87.20.5:8101 not connected, retry 2 after 40ms" >> "2010-01-20T16:53:40.473894Z":7:HTTP:ERR:nshpbx1.sipx.voip:pid- >> 8800:23D69C30:mediaservercgi:"HttpMessage::get[4] >> socket connection to 10.87.20.5:8101 failed, give up..." >> >> >> On 1/20/2010 7:38 AM, Scott Lawrence wrote: >> >>> On Wed, 2010-01-20 at 12:21 +0000, mkitchin.pub...@gmail.com wrote: >>> >>> >>>> Scott - if there are issues, should they show up >>>> >> immediately? If you >> >>>> have to back out, is it still just as easy as regenerating the self >>>> signed cert? >>>> >>>> >>> Yes, they should show up as soon as you restart. >>> >>> If you think regenerating the self signed cert is easy, then yes - >>> it's just that easy. >>> > > Not sure if this will help but did you regenerate and install the Java > Keystore/Truststore? If not you may want to try this first. > > Raymond > _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/