so on the browsers I had the 8443 godaddy 2048b cert working fine for a while now (with intermediates)
then the voicemail PIN change issue came up. my fix: 1. downloaded from godaddy the root CA + two intemediates (https://certs.godaddy.com/anonymous/repository.seam) valicert_class2_root.crt gd_cross_intermediate.crt gd_intermediate.crt 2. copied these 3 into /etc/sipxpbx/ssl/authorities then ran the re-hash script - /usr/bin/ssl-cert/ca_rehash - (not really sure if this step is required) 3. manually added the 2 godaddy intemedites to the /etc/sipxpbx/ssl/authorities.jks (good idea to back this file up) 4. restart and DONE. changing PIN works fine now from the voicemail menus -- capture for steps 3,4 - use def. password if it hasn't been changed - "changeit" --- begin --- cd /etc/sipxpbx/ssl [r...@sipx ssl]# keytool -list -keystore ./authorities.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry ca.sipx.company.net, Dec 14, 2009, trustedCertEntry, Certificate fingerprint (MD5): 53:1F:6D:98:EE:C8:A0:94:11:8F:7B:B0:8E:45:29:8B [r...@sipx ssl]# keytool -import -trustcacerts -alias gd_cross_intermediate -file ./gd_cross_intermediate.crt -keystore ./authorities.jks Enter keystore password: Certificate was added to keystore [r...@sipx ssl]# keytool -import -trustcacerts -alias gd_intermediate -file ./gd_intermediate.crt -keystore ./authorities.jks Enter keystore password: Certificate was added to keystore [r...@sipx ssl]# keytool -list -keystore ./authorities.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 3 entries gd_cross_intermediate, Jan 23, 2010, trustedCertEntry, Certificate fingerprint (MD5): 82:BD:9A:0B:82:6A:0E:3E:91:AD:3E:27:04:2B:3F:45 gd_intermediate, Jan 23, 2010, trustedCertEntry, Certificate fingerprint (MD5): D5:DF:85:B7:9A:52:87:D1:8C:D5:0F:90:23:2D:B5:34 ca.sipx.company.net, Dec 14, 2009, trustedCertEntry, Certificate fingerprint (MD5): 53:1F:6D:98:EE:C8:A0:94:11:8F:7B:B0:8E:45:29:8B [r...@sipx ssl]# /etc/init.d/sipxecs stop Stopping sipXpbx: Stopping apache: Stopping: sipxsupervisor Confirm Stop: sipxsupervisor .......... [ OK ] [r...@sipx ssl]# /etc/init.d/sipxecs start Checking bootstrap setup: [ OK ] Checking TLS/SSL configuration: [ OK ] Checking Per-process file descriptor limits: [ OK ] Checking rpm configuration file updates: [ OK ] Checking SELinux is not enforcing: [ OK ] Checking Apache configuration: [ OK ] Checking hostname is fully qualified: [ OK ] Checking localhost address configured: [ OK ] Checking localhost name is not shared: [ OK ] Checking /tmp directory has correct permissions: [ OK ] Starting sipXpbx: Starting sipxsupervisor: [ OK ] Starting httpd: [ OK ] --- end capture -- On Tue, 19 Jan 2010, Scott Lawrence wrote: > On Mon, 2010-01-18 at 16:56 -0600, mkitchin.pub...@gmail.com wrote: >> Sorry for spreading this across multiple emails. It seems it may >> definitely be the SSL certificate. I'm far from an expert in this, >> but >> it looks like it can't figure out where to go to verify the the SSL >> cert. I may have to abort and go back to the internal certificate I >> guess. I don't have a clue what the correct (assuming it is possible) >> way to fix this would be. >> >> "2010-01-18T22:49:30.483308Z":1:KERNEL:ERR:nshpbx1.sipx.voip:pid-32405:739B5C30:mediaservercgi:"OsSSL::verifyCallback >> invalid certificate at depth 0\n error='unable to get local >> issuer >> certificate'\n >> issuer='/DC=net/DC=dsi-corp/CN=nshsubject='/C=US/ST=TN/L=Davidson/O=DSI/OU=VoIP >> Services/CN=nshpbx1.sipx.voip/emailaddress=matt...@munged.com'" >> "2010-01-18T22:49:30.483508Z":2:KERNEL:ERR:nshpbx1.sipx.voip:pid-32405:739B5C30:mediaservercgi:"OsSSLConnectionSocket >> SSL_connect failed: :\n SSL error: 1 >> 'error:00000001:lib(0):func(0):reason(1)'" >> "2010-01-18T22:49:30.483555Z":3:HTTP:ERR:nshpbx1.sipx.voip:pid-32405:739B5C30:mediaservercgi:"HttpMessage::get[4] >> socket to 10.87.20.5:8443 not connected, retry 1 after 20ms" >> "2010-01-18T22:49:30.510936Z":4:KERNEL:ERR:nshpbx1.sipx.voip:pid-32405:739B5C30:mediaservercgi:"OsSSL::verifyCallback >> invalid certificate at depth 0\n error='unable to get local >> issuer >> certificate'\n > > You need to install the certificate chain for the authority that issued > your SSL cert. The fact that there's no easy way to do this is one of > the problems with using external certificates in 4.0. > > You can try this... get the certificate (or certificates... if the CA > uses a chain, you need them all) from the CA in PEM format. > > Copy the certificates into the directory /etc/sipxpbx/ssl/authorities, > and then run /usr/bin/ssl-cert/ca_rehash and restart your sipXecs > processes. > > Warning: this feature is buggy. This may make things worse. If you > need a reliable system, go back to the internal certs and wait for 4.2 > > _______________________________________________ > sipx-users mailing list sipx-users@list.sipfoundry.org > List Archive: http://list.sipfoundry.org/archive/sipx-users > Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users > sipXecs IP PBX -- http://www.sipfoundry.org/ > _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
