[Freeswitch-users] Achieving TLS + SRTP for inbound calls

Joel Serrano joel at textplus.com
Fri Jun 1 01:06:35 UTC 2018


Hi David,

The order to create the .pem file would be:

private-key
certificate
intermediate1
intermediate...X


On Thu, May 31, 2018 at 15:40 David P <davidswalkabout at gmail.com> wrote:

> Hi Joel,
>
> I'm on mobile now, but when I looked at the certbot install page for
> debian-jessie manual install, it links to backports page, and that page
> warns it's not prod-ready, IIRC.
>
> My EC2 is already in the state described by your steps. The question is
> how to create wss.pem (and dtls-srtp.pem?) from the pem's installed by
> certbot.
>
> Cheers,
> David
>
> On Thu, 31 May 2018, 9:55 am Joel Serrano, <joel at textplus.com> wrote:
>
>> Hi David,
>>
>> I don't understand your issues with goal 2 using let's encrypt, that
>> option certainly works and is widely used. What problems are you facing?
>> If you don't have enough confidence on backports you can always download
>> the latest stable release of certbot:
>> https://certbot.eff.org/lets-encrypt/pip-other
>>
>> *Install*
>> *Since it doesn't seem like your operating system has a packaged version
>> of Certbot, you should use our certbot-auto script to get a copy:*
>>
>> *wget https://dl.eff.org/certbot-auto <https://dl.eff.org/certbot-auto>*
>> *chmod a+x certbot-auto*
>>
>>
>> But, Certbot themselves are recommending installation on debian jessie
>> using the backports repository:
>>
>> *Install*
>> *Since Certbot is packaged for your system, all you'll need to do is
>> apt-get the following packages.*
>>
>> *First you'll have to follow the instructions here to enable the Jessie
>> backports repo, if you have not already done so. Then run:*
>>
>> *$ sudo apt-get install certbot -t jessie-backports*
>>
>>
>>
>> What are your concerns regarding using certbot installed from
>> jessie-backports?
>>
>>
>>
>> Going back to the topic, if you created /etc/freeswitch before installing
>> the packages, the installer will not deploy the vanilla config.
>>
>> I assume you installed from packages (as it's the recommended easy way),
>> if so, uninstall them, delete /etc/freeswitch, then install again:
>>
>> 1- Add signing key and repo (only done once, you should have already done
>> this):
>>
>> wget -O -
>> https://files.freeswitch.org/repo/deb/debian/freeswitch_archive_g0.pub |
>> apt-key add -
>> echo "deb http://files.freeswitch.org/repo/deb/freeswitch-1.6/ jessie
>> main" > /etc/apt/sources.list.d/freeswitch.list
>>
>> 2- Remove current installation:
>>
>> apt-get purge freeswitch*
>>
>> 3- Make sure /etc/freeswitch doesn't exist:
>>
>> rm -rf /etc/freeswitch
>>
>> 4- Install freeswitch:
>>
>> apt-get update && apt-get install -y freeswitch-meta-all
>>
>>
>> Done!
>>
>> You should have /etc/freeswitch deployed, and you can start doing your
>> updates in /etc/freeswitch/sip_profiles etc...
>>
>>
>>
>>
>> On Wed, May 30, 2018 at 4:33 PM, David P <davidswalkabout at gmail.com>
>> wrote:
>>
>>> Hi Joel and Branden,
>>>
>>> I have three goals:
>>> 1) To have an FS install that secures all WebRTC and SIP traffic to it
>>> 2) An install that doesn't require WebRTC users to manually fetch the
>>> certificate
>>> 3) An install that uses only production-ready software
>>>
>>> For goal 1, Mike and Giovanni have said a Debian Jessie minimal is the
>>> best or only choice.
>>>
>>> For goal 2, I'm avoiding gentls_cert and its self-signed certs. As a
>>> first attempt, I'm trying to get a free CA cert from LetsEncrypt via
>>> certbot. Unfortunately, doing this on debian jessie requires that I use
>>> backports that are described as "as-is", so I'm sacrificing goal 3 for the
>>> time being.
>>>
>>> In order to inform FS where it can find the private key, cert, and
>>> chain, I was planning to introduce soft links to the files that certbot put
>>> under /etc/letsencrypt/live/my.domain.com/
>>>
>>> I'm ready to do that, except that sip_profiles/internal.xml isn't where
>>> it normally would be, because I followed
>>> https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie#highlighter_549778
>>> and created /etc/freeswitch/ without knowing why I should do that. So
>>>  /usr/local/freeswitch/  does not exist, unfortunately. Also, echo
>>> ${prefix} is blank. So, I did a find from slash for internal.xml and found
>>> four matches:
>>>
>>> /usr/share/freeswitch/conf/insideout/sip_profiles/internal.xml
>>> /usr/share/freeswitch/conf/sbc/sbc_profiles/internal.xml
>>> /usr/share/freeswitch/conf/vanilla/sip_profiles/internal.xml
>>> /usr/share/freeswitch/conf/vanilla/skinny_profiles/internal.xml
>>>
>>> Which of these should I edit?
>>>
>>> Also, is it necessary to concatenate my private key, cert, and chain
>>> into a "wss.pem" as suggested at
>>> https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#highlighter_647427
>>>
>>> Cheers,
>>> David
>>>
>>> On Tue, May 29, 2018 at 12:34 PM, Joel Serrano <joel at textplus.com>
>>> wrote:
>>>
>>>> Hi David,
>>>>
>>>> So it all depends.. Those docs are just introductions to get a setup
>>>> "up and running". For example, in the docs you generate self-signed
>>>> certificates that (although perfectly valid) can give you issues with
>>>> browsers because their CA is not trusted, etc. Regarding expiration, it all
>>>> depends, as this is something you choose.
>>>>
>>>> Going down to your specific problems:
>>>>
>>>> 1- ..${prefix}.. is just a variable, that will be replaced with a
>>>> value, normally /usr/local/freeswitch, but can be anything (depending on
>>>> where you installed FS).
>>>> 2- When it comes to the "path" that you specify in the config for the
>>>> certificates, it can also be anything, the important part is that you make
>>>> sure that the user you run FS with has access to reading those files. If
>>>> you don't like using ${prefix} you can directly set /path/to/your/certs,
>>>> just remember double checking the permissions.
>>>> 3- When you renew your certificate, you will have to make FS aware of
>>>> that, I'd have to check but I'm pretty sure that after updating the files a
>>>> sofia profile rescan should be enough.
>>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Services
>>> sales at freeswitch.com
>>> https://freeswitch.com
>>>
>>> Official FreeSWITCH Sites
>>> https://freeswitch.com/oss
>>> https://freeswitch.org/confluence
>>> https://cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> https://freeswitch.com
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Services
>> sales at freeswitch.com
>> https://freeswitch.com
>>
>> Official FreeSWITCH Sites
>> https://freeswitch.com/oss
>> https://freeswitch.org/confluence
>> https://cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> https://freeswitch.com
>
> _________________________________________________________________________
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180531/825c9cc7/attachment-0001.html>


More information about the FreeSWITCH-users mailing list