stunnel backrevved to 4.26-1 (version included with sipX 4.2) and tunnel seems to be up (no dead services so far). I'll keep an eye on it to make sure that was the issue.
Josh Patten Assistant Network Administrator Brazos County IT Dept. (979) 361-4676 On 5/4/2010 8:51 AM, Josh Patten wrote: > Do you think I should try backreving stunnel? > > Josh Patten > Assistant Network Administrator > Brazos County IT Dept. > (979) 361-4676 > > > On 5/4/2010 7:48 AM, DANS, RAYMOND (RAYMOND) wrote: > >>> Subject: Re: [sipx-users] 4.2 HA CDR tunnel SSL issue >>> >>> Perhaps I could try regenerating all certificates? I'm not >>> sure how to do this in a cluster environment. Could someone >>> point me in the right direction? I know in a single node >>> environment you can use this: >>> http://sipx-wiki.calivia.com/index.php/SSL_Certificates but I >>> haven't been able to find any instructions for doing that in a cluster. >>> >>> Josh Patten >>> Assistant Network Administrator >>> Brazos County IT Dept. >>> (979) 361-4676 >>> >>> >>> On 5/3/2010 11:37 AM, Josh Patten wrote: >>> >>> >>>> What I did to build this test system was: >>>> >>>> Install sipX 4.0.4 from ISO >>>> backup the primary production server via sipXconfig backup the >>>> secondary production server from command line (sipx-backup) >>>> >>>> restore both the primary and secondary servers via command >>>> >>>> >>> line in the >>> >>> >>>> test environment. >>>> >>>> After I do this, firefox cannot connect because of an SSL issue. To >>>> get around this I load up sipXconfig on IE and send profiles >>>> >>>> >>> to the server. >>> >>> >>>> I then perform the 4.2 upgrade. >>>> >>>> After the 4.2 upgrade everything ran fine for a few hours then that >>>> certificate error popped up. >>>> >>>> stunnel on both servers is 4.28-1 >>>> >>>> config is identical on both servers: >>>> >>>> service = sipxcallresolver-agent >>>> pid = /var/run/sipxpbx/sipxcallresolver-agent.pid >>>> verify = 2 >>>> debug = 5 >>>> output = /var/log/sipxpbx/sipxcallresolver-agent.log >>>> CApath = /etc/sipxpbx/ssl/authorities >>>> cert = /etc/sipxpbx/ssl/ssl.crt >>>> key = /etc/sipxpbx/ssl/ssl.key >>>> client = no >>>> foreground = yes >>>> >>>> [postgresql] >>>> accept = 9300 >>>> connect = 5432 >>>> >>>> >>>> Josh Patten >>>> Assistant Network Administrator >>>> Brazos County IT Dept. >>>> (979) 361-4676 >>>> >>>> >>>> On 5/3/2010 10:40 AM, DANS, RAYMOND (RAYMOND) wrote: >>>> >>>> >>>> >>>>>> On 4/30/2010 1:50 PM, Josh Patten wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Today on my test 4.2 environment I received an alarm >>>>>>> >>>>>>> >>> email that the >>> >>> >>>>>>> CallResolver-Agent stopped unexpectedly on the secondary HA >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> server and >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> could not start. Here was the error: >>>>>>> >>>>>>> 2010.04.30 13:43:04 LOG7[5134:3086362320]: RAND_status claims >>>>>>> sufficient entropy for the PRNG 2010.04.30 13:43:04 >>>>>>> LOG7[5134:3086362320]: PRNG seeded successfully >>>>>>> >>>>>>> >>> 2010.04.30 13:43:04 >>> >>> >>>>>>> LOG7[5134:3086362320]: Certificate: /etc/sipxpbx/ssl/ssl.crt >>>>>>> 2010.04.30 13:43:04 LOG7[5134:3086362320]: Certificate loaded >>>>>>> 2010.04.30 13:43:04 LOG7[5134:3086362320]: Key file: >>>>>>> /etc/sipxpbx/ssl/ssl.key 2010.04.30 13:43:04 >>>>>>> >>>>>>> >>> LOG7[5134:3086362320]: >>> >>> >>>>>>> Private key loaded 2010.04.30 13:43:04 LOG7[5134:3086362320]: >>>>>>> Verify directory set to /etc/sipxpbx/ssl/authorities 2010.04.30 >>>>>>> 13:43:04 >>>>>>> LOG7[5134:3086362320]: Added /etc/sipxpbx/ssl/authorities >>>>>>> revocation lookup directory 2010.04.30 13:43:04 >>>>>>> LOG7[5134:3086362320]: SSL context initialized for service >>>>>>> postgresql 2010.04.30 13:43:04 >>>>>>> LOG3[5134:3086362320]: FIPS_mode_set: 2D06C06E: >>>>>>> >>>>>>> >>> error:2D06C06E:FIPS >>> >>> >>>>>>> routines:FIPS_mode_set:fingerprint does not match >>>>>>> >>>>>>> Any recommendation on how I should tackle this problem? It >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> looks like >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> I have a certificate issue but I'm not sure. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> Josh, can you tell me what version of stunnel you're using >>>>> >>>>> >>> (rpm -qa | grep stunnel) and also show me your stunnel >>> configuration file (usually its >>> /etc/sipxpbx/sipxcallresolver-agent-config). I've never seen >>> this issue before nor can I find any information on it. >>> >>> >>>>> The current version of stunnel that we're using is 4.26-1. >>>>> >>>>> Thanks >>>>> Raymond >>>>> >>>>> >>>>> >> Josh, >> As Scott said, I'm not sure its actually a certificate issue. I've >> found that with version 4.28 of stunnel, it makes use of FIPS (Federal >> Information Processing Standards) in OpenSSL and the minimum version of >> OpenSSL required is 0.9.8j. I'm not sure what version of OpenSSL you have >> but I suspect that its something related to FIPS as I don't believe the >> version of OpenSSL we use 0.9.8g makes use of it. >> >> Raymond >> > _______________________________________________ > sipx-users mailing list sipx-users@list.sipfoundry.org > List Archive: http://list.sipfoundry.org/archive/sipx-users > Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users > sipXecs IP PBX -- http://www.sipfoundry.org/ > _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
