[Freeswitch-users] Achieving TLS + SRTP for inbound calls

David P davidswalkabout at gmail.com
Thu May 31 17:00:49 UTC 2018


Hi Joel,

I'm on mobile now, but when I looked at the certbot install page for
debian-jessie manual install, it links to backports page, and that page
warns it's not prod-ready, IIRC.

My EC2 is already in the state described by your steps. The question is how
to create wss.pem (and dtls-srtp.pem?) from the pem's installed by certbot.

Cheers,
David

On Thu, 31 May 2018, 9:55 am Joel Serrano, <joel at textplus.com> wrote:

> Hi David,
>
> I don't understand your issues with goal 2 using let's encrypt, that
> option certainly works and is widely used. What problems are you facing?
> If you don't have enough confidence on backports you can always download
> the latest stable release of certbot:
> https://certbot.eff.org/lets-encrypt/pip-other
>
> *Install*
> *Since it doesn't seem like your operating system has a packaged version
> of Certbot, you should use our certbot-auto script to get a copy:*
>
> *wget https://dl.eff.org/certbot-auto <https://dl.eff.org/certbot-auto>*
> *chmod a+x certbot-auto*
>
>
> But, Certbot themselves are recommending installation on debian jessie
> using the backports repository:
>
> *Install*
> *Since Certbot is packaged for your system, all you'll need to do is
> apt-get the following packages.*
>
> *First you'll have to follow the instructions here to enable the Jessie
> backports repo, if you have not already done so. Then run:*
>
> *$ sudo apt-get install certbot -t jessie-backports*
>
>
>
> What are your concerns regarding using certbot installed from
> jessie-backports?
>
>
>
> Going back to the topic, if you created /etc/freeswitch before installing
> the packages, the installer will not deploy the vanilla config.
>
> I assume you installed from packages (as it's the recommended easy way),
> if so, uninstall them, delete /etc/freeswitch, then install again:
>
> 1- Add signing key and repo (only done once, you should have already done
> this):
>
> wget -O -
> https://files.freeswitch.org/repo/deb/debian/freeswitch_archive_g0.pub |
> apt-key add -
> echo "deb http://files.freeswitch.org/repo/deb/freeswitch-1.6/ jessie
> main" > /etc/apt/sources.list.d/freeswitch.list
>
> 2- Remove current installation:
>
> apt-get purge freeswitch*
>
> 3- Make sure /etc/freeswitch doesn't exist:
>
> rm -rf /etc/freeswitch
>
> 4- Install freeswitch:
>
> apt-get update && apt-get install -y freeswitch-meta-all
>
>
> Done!
>
> You should have /etc/freeswitch deployed, and you can start doing your
> updates in /etc/freeswitch/sip_profiles etc...
>
>
>
>
> On Wed, May 30, 2018 at 4:33 PM, David P <davidswalkabout at gmail.com>
> wrote:
>
>> Hi Joel and Branden,
>>
>> I have three goals:
>> 1) To have an FS install that secures all WebRTC and SIP traffic to it
>> 2) An install that doesn't require WebRTC users to manually fetch the
>> certificate
>> 3) An install that uses only production-ready software
>>
>> For goal 1, Mike and Giovanni have said a Debian Jessie minimal is the
>> best or only choice.
>>
>> For goal 2, I'm avoiding gentls_cert and its self-signed certs. As a
>> first attempt, I'm trying to get a free CA cert from LetsEncrypt via
>> certbot. Unfortunately, doing this on debian jessie requires that I use
>> backports that are described as "as-is", so I'm sacrificing goal 3 for the
>> time being.
>>
>> In order to inform FS where it can find the private key, cert, and chain,
>> I was planning to introduce soft links to the files that certbot put
>> under /etc/letsencrypt/live/my.domain.com/
>>
>> I'm ready to do that, except that sip_profiles/internal.xml isn't where
>> it normally would be, because I followed
>> https://freeswitch.org/confluence/display/FREESWITCH/Debian+8+Jessie#highlighter_549778
>> and created /etc/freeswitch/ without knowing why I should do that. So
>>  /usr/local/freeswitch/  does not exist, unfortunately. Also, echo
>> ${prefix} is blank. So, I did a find from slash for internal.xml and found
>> four matches:
>>
>> /usr/share/freeswitch/conf/insideout/sip_profiles/internal.xml
>> /usr/share/freeswitch/conf/sbc/sbc_profiles/internal.xml
>> /usr/share/freeswitch/conf/vanilla/sip_profiles/internal.xml
>> /usr/share/freeswitch/conf/vanilla/skinny_profiles/internal.xml
>>
>> Which of these should I edit?
>>
>> Also, is it necessary to concatenate my private key, cert, and chain into
>> a "wss.pem" as suggested at
>> https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#highlighter_647427
>>
>> Cheers,
>> David
>>
>> On Tue, May 29, 2018 at 12:34 PM, Joel Serrano <joel at textplus.com> wrote:
>>
>>> Hi David,
>>>
>>> So it all depends.. Those docs are just introductions to get a setup "up
>>> and running". For example, in the docs you generate self-signed
>>> certificates that (although perfectly valid) can give you issues with
>>> browsers because their CA is not trusted, etc. Regarding expiration, it all
>>> depends, as this is something you choose.
>>>
>>> Going down to your specific problems:
>>>
>>> 1- ..${prefix}.. is just a variable, that will be replaced with a value,
>>> normally /usr/local/freeswitch, but can be anything (depending on where you
>>> installed FS).
>>> 2- When it comes to the "path" that you specify in the config for the
>>> certificates, it can also be anything, the important part is that you make
>>> sure that the user you run FS with has access to reading those files. If
>>> you don't like using ${prefix} you can directly set /path/to/your/certs,
>>> just remember double checking the permissions.
>>> 3- When you renew your certificate, you will have to make FS aware of
>>> that, I'd have to check but I'm pretty sure that after updating the files a
>>> sofia profile rescan should be enough.
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Services
>> sales at freeswitch.com
>> https://freeswitch.com
>>
>> Official FreeSWITCH Sites
>> https://freeswitch.com/oss
>> https://freeswitch.org/confluence
>> https://cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> https://freeswitch.com
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180531/b6903820/attachment-0001.html>


More information about the FreeSWITCH-users mailing list