[Freeswitch-users] tls ca setup

Alexandre Fiori fiorix at gmail.com
Mon Jul 2 06:09:38 MSD 2012


Bria 3 suddenly stopped working on my mac, reporting this:

  All accounts failed to enable

  Account: test could not be enabled.
  Problem at server, error 503. Try again later.

Nothing shows up on fs_cli, but tcpdump shows traffic. Changing sofia to loglevel 9 gives me this:

  tport_wakeup_pri(0x164dbd0): events IN
  tport_alloc_secondary(0x164dbd0): new secondary tport 0x7f39b9acce80
  tport_tls_accept(0x7f39b9acce80): new connection from tls/x.x.x.x:33351/sips
  tls_connect(0x7f39b9acce80): events NEGOTIATING
  tls_connect(0x7f39b9acce80): events NEGOTIATING
  tls_connect(0x7f39b9acce80): TLS setup failed (error:00000001:lib(0):func(0):reason(1))
  tport_close(0x7f39b9acce80): tls/x.x.x.x:33351/sips

This is not a happy Canada day, where's my phone? It turns out the self-signed root CA generated by `gentls_cert setup` has expired.
How I figured it out? First, on the server:

  # openssl x509 -noout -in /opt/freeswitch/conf/ssl/CA/cacert.pem -dates
  notBefore=Jun  2 01:44:26 2012 GMT
  notAfter=Jul  1 01:44:26 2012 GMT

Second, because I opened https://my-server:5061 on Safari and got a "This certificate is not valid (expired root)".

It seems the script is missing `-days`, here: http://git.freeswitch.org/git/freeswitch/tree/scripts/gentls_cert.in#n83
Manually adding it fixed the problem.


--
Ship, ahoy! Hast seen the White Whale?
  - Cap'n Ahab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120701/e1b5070a/attachment.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list