Thanks for your reply, Mircea. It really help'd me figure it out.
- Short version In a timeline, this is what happened: 1 - Installed a server - New CA and Certificates 2 - After some months, installed a second server. - New certificate for new server, using existing CA 3 - Certificates for the master was about to expire, then I created new ones as per wiki<http://wiki.sipfoundry.org/display/sipXecs/SSL+Certificates> instructions - New CA and Certificates again 4 - Secondary couldn't be 'reached', with a SSL error of 'alert unknown ca' 5 - Retry initial-config script without success 6 - Email to sipx-users 7 - Created new certificates for the secondary using ~/sslkeys as the workdir for gen-ssl-cert.sh and install-cert.sh 8 - Installed the new certs on secondary and it's all OK now - Long version I hit this by reading http://wiki.sipfoundry.org/display/sipXecs/SSL+Keys+and+Keystores I even executed the initial-config script, which gave me the tarball with the certs. The contents of the tarball is: ./etc/ ./etc/sipxpbx/ ./etc/sipxpbx/domain-config ./etc/sipxpbx/sipxsupervisor-config ./etc/sipxpbx/ssl/ ./etc/sipxpbx/ssl/authorities/ ./etc/sipxpbx/ssl/authorities/ca.primary.example.com.crt ./etc/sipxpbx/ssl/authorities/394968cf.0 ./etc/sipxpbx/ssl/ssl.crt ./etc/sipxpbx/ssl/ssl.key ./etc/sipxpbx/ssl/ssl-web.crt ./etc/sipxpbx/ssl/ssl-web.key ./etc/ntp.conf ./etc/ntp/ ./etc/ntp/step-tickers ./etc/named.conf ./etc/resolv.conf Then I installed only the contents of ./etc/sipxpbx/ssl on the secondary server and still it can't be contacted by the primary; tested by running sipxproc -n <fqdn> and using sipXconfig. On secondary, I had the following logs: /var/log/sipxpbx/sipxsupervisor.log "2012-12-05T16:28:04.686868Z":227:KERNEL:INFO:srv02.example.com:HttpServer-3:B7AFFB90:Supervisor:"OsSSL::_ 0x8188f00 CTX 0x81f50a8 loaded key pair:\n public '/etc/sipxpbx/ssl/ssl.crt'\n private '/etc/sipxpbx/ssl/ssl.key'" "2012-12-05T16:28:04.686964Z":228:KERNEL:INFO:srv02.example.com:HttpServer-3:B7AFFB90:Supervisor:"OsConnectionSocket::_[2] (0.0.0.0, 8)" "2012-12-05T16:28:04.688092Z":229:KERNEL:ERR:srv02.example.com:HttpServer-3:B7AFFB90:Supervisor:"OsSSLServerSocket SSL_accept - incompatible client?:\n SSL error: 1 'error:00000001:lib(0):func(0):reason(1)'" "2012-12-05T16:28:04.688135Z":230:KERNEL:ERR:srv02.example.com:HttpServer-3:B7AFFB90:Supervisor:"OsSSLServerSocket SSL_accept - incompatible client?:\n SSL error: 336151576 'error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'" "2012-12-05T16:28:04.688175Z":231:KERNEL:INFO:srv02.example .com:HttpServer-3:B7AFFB90:Supervisor:"OsSSLConnectionSocket::close" "2012-12-05T16:28:04.688243Z":232:KERNEL:INFO:srv02.example .com:HttpServer-3:B7AFFB90:Supervisor:"OsConnectionSocket::~" which makes me wonder why the heck its a 'unknown ca'? Well, when I update the certs according to the wiki<http://wiki.sipfoundry.org/display/sipXecs/SSL+Certificates>, I ended up with a bunch of files in my ~/sslkeys. Using the method described, I just created a new CA along with a new self-signed certificate. The new CA and certs gets installed in /etc/sipxpbx/ssl, so the master is fine. On the other hand, when you do an install, or run sipxecs-setup, the /usr/bin/ssl-cert/gen-ssl-keys.sh uses /var/sipxdata/certdb as its staging area, then /usr/bin/ssl-cert/install-cert.sh installs the certs from there to /etc/sipxpbx/ssl. The same happens when the initial-config script is called; the workdir is set to /var/sipxdata/certdb and there was my problem. In my /var/sipxdata/certdb I had a previous CA certificates, from the original install. After I used the wiki<http://wiki.sipfoundry.org/display/sipXecs/SSL+Certificates> method - the certs were about to expire, I changed(without knowing it) my CA to the new one, but only on my ~/sslkeys - my /var/sipxdata/certdb was never touched. At this point I had a master working OK. When I noticed the servers were unable to communicate to each other, I tried the initial-config approach, which gave me new certs based on the old CA in master's /var/sipxdata/certdb. Still the same problem. My conclusion: - If you have only one server, it's OK to use the wiki<http://wiki.sipfoundry.org/display/sipXecs/SSL+Certificates> to regen your certs. - If you have more than one server, maybe you should run the gen-ssl-cert.sh script from /var/sipxdata/certdb or even pass the path using --workdir option. Sorry for being so prolix. - MM On Wed, Dec 5, 2012 at 2:03 PM, Mircea Carasel <mirc...@ezuce.com> wrote: > > > On Wed, Dec 5, 2012 at 4:14 PM, Melcon Moraes <mel...@gmail.com> wrote: > >> I'm having a hard time trying to update a certificate in my setup with >> two boxes: >> >> - Primary server has all the roles, but ACD >> - Secondary server has only ACD role >> >> I have read both wiki pages: >> >> http://wiki.sipfoundry.org/display/sipXecs/SSL+Certificates >> http://wiki.sipfoundry.org/display/sipXecs/SSL+Keys+and+Keystores >> >> and tried the /usr/bin/ssl-cert/gen-ssl-keys.sh script as described by >> the wiki. Everything is fine on primary but the certs on the second never >> gets updated. I've already tried Sending profiles on System->Servers-> >> <secondary server FQDN> and didn't work. >> >> On primary, if I try sipxproc -n <fqdn of secondary> I receive: >> /usr/lib/ruby/1.8/net/http.rb:586:in `connect': certificate verify failed >> (OpenSSL::SSL::SSLError) >> >> >> At this point, I can't update any configuration on the secondary - in >> this case, ACD settings, cause RPCs will fail on the SSL. >> >> How is the correct way to update certificates on all servers? Is the >> removal/re-adding the secondary server the only way to reconfigure SSL on >> it? >> >> What else do I need to check in both servers to find what's wrong. >> > In 4.4, when a secondary node is added, there is a script called > "initial-config" that gets executed. initial-config script creates an > archive <location_name>.tar.gz that contains certificates for the secondary > host. The secondary host calls a service on primary and downloads this > archive and unpacks it. > Here is the fragment from this script that creates the certificates for > the secondary host: > # generate TLS credentials > @SIPX_BINDIR@/ssl-cert/gen-ssl-keys.sh \ > --newhost --workdir "@SIPX_VARDIR@/certdb" -d -s "${newHostname}" \ > || exit 1 > @SIPX_BINDIR@/ssl-cert/install-cert.sh \ > --workdir "@SIPX_VARDIR@/certdb" --install-prefix "${INITIAL_CONFIG}" > "${newHostname}" \ > || exit 1 > > Hope this helps > Mircea > >> >> Thanks in advance. >> >> - >> MM >> >> _______________________________________________ >> sipx-users mailing list >> sipx-users@list.sipfoundry.org >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> > > > _______________________________________________ > sipx-users mailing list > sipx-users@list.sipfoundry.org > List Archive: http://list.sipfoundry.org/archive/sipx-users/ >
_______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users/
