Thanks. I had used those in the past and recovered fine. Somewhere in the process of trying to make the internal MS cert work, I must have caused an issue of some sort. The MS certs didn't have the right name, extension, etc, so I had to do a few more things.
On 1/20/2010 1:47 PM, Grant Lang wrote: > Hi, > > This page here has probably most of the information required to get you back > to a 'known' state, but basically (as root) run: > > mkdir $HOME/sslkeys > cd $HOME/sslkeys > /usr/bin/ssl-cert/gen-ssl-keys.sh > > Then: > /usr/bin/ssl-cert/install-cert.sh > > http://sipx-wiki.calivia.com/index.php/SSL_Certificates > > I am sure you probably have done that, but that is the process I have > followed to put third party certs in. First I delete pretty much all the > certs in the /etc/sipxpbx/ssl directories and run the above process. > > This page also has the process to convert DER certs to PEM certs which you > need to do to install the third party CA certificates after saving them to > file. The only part on this page that I think is missing is the generation of > the java keystore which Jeff detailed in his instructions. > > The other thing that I think is missing from the instructions is around > certificates that have intermediates. The certificate you install from my > findings looks for the root or the signing authority and of course can't find > it because there is an intermediate in between. So you need to put both the > root and intermediate in the authorities folder, so you would end up > potentially in that case of having two certs in the authorities folder for > the third party cert and one in that folder for the self signed one that does > the other stuff aside from the Web stuff (which is what I care about). You > would also have three sym links in that folder too after doing the re-hash > detailed by Scott (nice email address too Scott btw). > > Just another thing, I think I had to go and tweak the permissions on the > certificates in the authorities directory after doing all of this, not a > major though. > > The reason it is important to me is I want to give the user the best possible > experience and I don't accept clicking on a SSL error on a web page to > continue is a good experience, that's why I was/am so keen to get it sorted > out. > > Mine so far works flawlessly that I can tell and I have rebooted and set PIN > numbers from TUI etc and it all seems ok, I don't know what else to look at > or check. > Next for me will be doing the same using a MS CA so that it is easier to > renew and set expiry dates out longer etc and of course less cost, however > there could be implications for remote workers in this case which is > something I haven't considered as it is outside the scope for me. > > Happy to work with someone to detail the instructions from start to finish > and use real examples assuming it is tested and worked for others. > > Cheers > Grant > > > > > -----Original Message----- > From: mkitchin.pub...@gmail.com [mailto:mkitchin.pub...@gmail.com] > Sent: Thursday, 21 January 2010 7:45 a.m. > To: Raymond Dans > Cc: Scott Lawrence; Grant Lang; sipx-users@list.sipfoundry.org > Subject: Re: [sipx-users] SSL Cert help > > I'm not sure exactly how to do that, so I guess I hadn't. How should I > do that? The ssl script seems to indicate it is doing that (see below). > On a side note, I just tried completely rerunning the sipx setup wizard. > That didn't help. Same result. > I realize my timing here is awful. I am desperate. We have training for > 2 hours this afternoon, so I can't rebuild the system from scratch right > now. I really don't want to do that if I don't have to. We were going to > spend this evening staging all the handsets, but I obviously can't do > that if I'm going to have to rebuild the system. This is a nightmare. It > is 100% my fault. I was trying to squeeze in one more thing before we > went into production, and obviously that was a horrible idea. > > ______________________________________________________________________ > > Generating Java Key Store > Enter input keystore passphrase: Enter output keystore passphrase: Alias > 0: nshpbx1.sipx.voip > Adding key for alias nshpbx1.sipx.voip > ______________________________________________________________________ > > Generating Java Trust Store > Certificate was added to keystore > > > On 1/20/2010 12:27 PM, Raymond Dans wrote: > >>> Subject: Re: [sipx-users] SSL Cert help >>> >>> I will be glad to listen to a whole bunch of "I told so", but >>> I would greatly appreciate a little help first. >>> I made a system backup, and backed up the SSL directories >>> before trying any of this. I wanted to give an external SSL >>> cert one more shot. It didn't work, so I went to revert back >>> to a self signed cert. I follwed the same things I had done >>> before. I ran /usr/bin/ssl-cert/gen-ssl-keys.sh and then >>> /usr/bin/ssl-cert/install-cert.sh Most everything is ok, but I >>> can't change the PIN from a phone. I restored from backup >>> taken prior to any of this, and it didn't help. I get the >>> errors below in mediaserver_cgi.log I have tried regenerating >>> the certs a few times, and everything seems to go ok. Can >>> someone help me get past this issue? I would greatly >>> appreciate it and wil not tinker with ssl certs again until 4.2 :) >>> >>> >>> "2010-01-20T16:53:40.411617Z":1:KERNEL:ERR:nshpbx1.sipx.voip:pi >>> d-8800:23D69C30:mediaservercgi:"OsSSL::verifyCallback >>> invalid certificate at depth 0\n error='unable to get >>> local issuer >>> certificate'\n >>> issuer='/C=US/ST=AnyState/L=AnyTown/O=sipx.voip/OU=sipXecs/CN=c >>> a.nshpbx1.sipx.voip/emailaddress=r...@nshpbx1.sipx.voip'\n >>> subject='/C=US/ST=AnyState/L=AnyTown/O=sipx.voip/OU=sipXecs/CN= >>> nshpbx1.sipx.voip/emailaddress=r...@nshpbx1.sipx.voip'" >>> "2010-01-20T16:53:40.411754Z":2:KERNEL:ERR:nshpbx1.sipx.voip:pi >>> d-8800:23D69C30:mediaservercgi:"OsSSLConnectionSocket >>> SSL_connect failed: :\n SSL error: 1 >>> 'error:00000001:lib(0):func(0):reason(1)'" >>> "2010-01-20T16:53:40.411797Z":3:HTTP:ERR:nshpbx1.sipx.voip:pid- >>> 8800:23D69C30:mediaservercgi:"HttpMessage::get[4] >>> socket to 10.87.20.5:8101 not connected, retry 1 after 20ms" >>> "2010-01-20T16:53:40.433197Z":4:KERNEL:ERR:nshpbx1.sipx.voip:pi >>> d-8800:23D69C30:mediaservercgi:"OsSSL::verifyCallback >>> invalid certificate at depth 0\n error='unable to get >>> local issuer >>> certificate'\n >>> issuer='/C=US/ST=AnyState/L=AnyTown/O=sipx.voip/OU=sipXecs/CN=c >>> a.nshpbx1.sipx.voip/emailaddress=r...@nshpbx1.sipx.voip'\n >>> subject='/C=US/ST=AnyState/L=AnyTown/O=sipx.voip/OU=sipXecs/CN= >>> nshpbx1.sipx.voip/emailaddress=r...@nshpbx1.sipx.voip'" >>> "2010-01-20T16:53:40.433261Z":5:KERNEL:ERR:nshpbx1.sipx.voip:pi >>> d-8800:23D69C30:mediaservercgi:"OsSSLConnectionSocket >>> SSL_connect failed: :\n SSL error: 1 >>> 'error:00000001:lib(0):func(0):reason(1)'" >>> "2010-01-20T16:53:40.433289Z":6:HTTP:ERR:nshpbx1.sipx.voip:pid- >>> 8800:23D69C30:mediaservercgi:"HttpMessage::get[4] >>> socket to 10.87.20.5:8101 not connected, retry 2 after 40ms" >>> "2010-01-20T16:53:40.473894Z":7:HTTP:ERR:nshpbx1.sipx.voip:pid- >>> 8800:23D69C30:mediaservercgi:"HttpMessage::get[4] >>> socket connection to 10.87.20.5:8101 failed, give up..." >>> >>> >>> On 1/20/2010 7:38 AM, Scott Lawrence wrote: >>> >>> >>>> On Wed, 2010-01-20 at 12:21 +0000, mkitchin.pub...@gmail.com wrote: >>>> >>>> >>>> >>>>> Scott - if there are issues, should they show up >>>>> >>>>> >>> immediately? If you >>> >>> >>>>> have to back out, is it still just as easy as regenerating the self >>>>> signed cert? >>>>> >>>>> >>>>> >>>> Yes, they should show up as soon as you restart. >>>> >>>> If you think regenerating the self signed cert is easy, then yes - >>>> it's just that easy. >>>> >>>> >> Not sure if this will help but did you regenerate and install the Java >> Keystore/Truststore? If not you may want to try this first. >> >> Raymond >> >> > _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/