[Freeswitch-users] tls with letsencrypt

Mirko Brankovic mirkobrankovic at gmail.com
Fri Jan 6 13:58:48 MSK 2017


Hey,
All I had to do to get it work is to place cert and key in one pem file for
FS, so like:
cat /etc/letsencrypt/live/${domain}/cert.pem
/etc/letsencrypt/live/${domain}/privkey.pem >
/usr/local/freeswitch/certs/wss.pem

On Fri, Jan 6, 2017 at 3:24 AM, ITwrx.org <info at itwrx.org> wrote:

> dtls-srtp.pem,
> tls.pem(the "stand in" i previously described),
> and the original (could be from my old server where i set up tls following
> the freeswitch wiki) tls.pem which has been renamed to tls.pem.orig.
>
>
> On 01/05/2017 06:43 PM, Brian West wrote:
>
> There is a lot more to it than that, what files are in that tls folder?
>
> On Thu, Jan 5, 2017 at 4:53 PM, ITwrx.org <info at itwrx.org> wrote:
>
>> i just copied the pem formatted cert that certbot generated to
>> /etc/freeswitch/tls and named it tls.pem. it's freeswitch:freeswitch 660
>> for perms. freeswitch seems capable of reading it, as the tls enabled
>> profile starts up. i only get an error in fs_cli when the csipsimple client
>> tries to connect using tls.
>>
>> thanks
>>
>>
>> On 01/05/2017 04:36 PM, Brian West wrote:
>>
>> How did you format the cert? and in what files did you put them in? and
>> are your permissions correct on those files?
>>
>> On Thu, Jan 5, 2017 at 2:55 PM, ITwrx.org <info at itwrx.org> wrote:
>>
>>> hi,
>>>
>>> i'm trying to use a letsencrypt generated cert with freeswitch but am
>>> not sure how to proceed. I've read the old and new wiki posts concerning
>>> tls but they don't seem to cover my exact scenario. It seems to me that
>>> freeswitch is looking into the configured "tls-cert-dir" for the
>>> hardcoded filename tls.pem and is expecting that a self generated ca has
>>> signed it. i have placed the fullchain.pem in that directory (generated
>>> with certbot) and have renamed it tls.pem but i guess it's not finding
>>> the CA sig it expects(?) as i'm getting:
>>>
>>> tport_tls.c:1044 tls_connect() tls_connect(0x373c000e8d0): TLS setup
>>> failed (error:00000005:lib(0):func(0):DH lib)
>>>
>>> when trying to connect with csipsimple from phone. I would like to avoid
>>> generating client certs signed by a custom CA where users have to copy
>>> the client cert and ca cert to their device as it adds complexity and
>>> problems. Is there a workaround or suggested method for using a
>>> letsencrypt cert with freeswitch so that clients like csipsimple can
>>> just validate against their built-in CA store?
>>>
>>> thanks in advance,
>>> ITwrx
>>>
>>> --
>>> Information Technology Works
>>> https://ITwrx.org
>>> @ITwrxorg
>>>
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>>
>> *Brian West*
>> brian at freeswitch.org
>>
>>
>> *Twitter: @FreeSWITCH , @briankwest*
>> http://www.freeswitchbook.com
>> http://www.freeswitchcookbook.com
>> https://www.gofundme.com/freeswitch_ubuntu
>>
>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>
>> *T:*+19184209001 <%28918%29%20420-9001> | *F:*+19184209002
>> <%28918%29%20420-9002> | *M:*+1918424WEST (9378)
>> *Skype:*briankwest
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services: consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://confluence.freeswitch.orghttp://www.cluecon.com
>>
>> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>>
>> --
>> Information Technology Workshttps://ITwrx.org
>> @ITwrxorg
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services: consulting at freeswitch.org
>> http://www.freeswitchsolutions.com Official FreeSWITCH Sites
>> http://www.freeswitch.org http://confluence.freeswitch.org
>> http://www.cluecon.com FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org http://lists.freeswitch.org/ma
>> ilman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.frees
>> witch.org/mailman/options/freeswitch-users http://www.freeswitch.org
>
> --
>
> *Brian West* brian at freeswitch.org
>
> *Twitter: @FreeSWITCH , @briankwest* http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com https://www.gofundme.com/
> freeswitch_ubuntu
>
> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>
> *T:*+19184209001 <+1%20918-420-9001> | *F:*+19184209002
> <+1%20918-420-9002> | *M:*+1918424WEST (9378) *Skype:*briankwest
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services: consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>
> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://confluence.freeswitch.orghttp://www.cluecon.com
>
> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>
> --
> Information Technology Workshttps://ITwrx.org
> @ITwrxorg
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 
Regards,
Mirko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170106/d81ee252/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list