<div dir="ltr">I've tried working through the page you provided, but I've encountered some loose ends. First, in order to use a CA cert, I installed certbot alongside Apache on Ubuntu16.04. This is an AWS EC2, so I don't have many options on which distro I can use. You recommended against Ubuntu; would you elaborate why?<div><br></div><div>This Apache is on the same machine as FS. I no longer serve verto files from Apache (they're now in S3/CloudFront), but I suspect Apache may still be needed to serve the cert for wss. But FS can probably do that itself. Anyway, <a href="https://www.ssllabs.com/ssltest/analyze.html?d=my.domain.com">https://www.ssllabs.com/ssltest/analyze.html?d=my.domain.com</a> shows the cert is reachable and valid. On disk, they're at:</div><div><div>/etc/letsencrypt/live/<a href="http://my.domain.com/fullchain.pem">my.domain.com/fullchain.pem</a></div><div>/etc/letsencrypt/live/<a href="http://my.domain.com/privkey.pem">my.domain.com/privkey.pem</a><br></div></div><div><br></div><div>Do these need to be renamed for FS to find them?</div><div><br></div><div><a href="https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates">https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates</a> says I should edit sip_profiles/internal.xml</div><div>so that<br><param name="tls-cert-dir" value="(path to certs)"/><br><param name="wss-binding" value=":7443"/><br></div><div><br></div><div>Should
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">(path to certs) be replaced with
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">/etc/letsencrypt/live/<a href="http://my.domain.com/">my.domain.com/</a> ?</span></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Even though I haven't finished the config above, this test suggests something is working:</span></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></span></div><div><div>sudo /opt/freeswitch/bin/fs_cli -x 'sofia status profile internal' | grep WSS-BIND-URL</div><div>WSS-BIND-URL sips:mod_sofia@(private EC2 IP):7443;transport=wss</div></div><div><br></div><div>Later steps say to create a wss.pem under /usr/local/freeswitch/certs/wss.pem but there is no certs/ after FS install; am I supposed to mkdir it?</div><div><br></div><div>Later steps also say to create conf/autoload_configs/verto.conf.xml but there is no conf/ Should I mkdir it?</div><div><br></div><div>
David<br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 24, 2018 at 9:32 AM, Michael Jerris <span dir="ltr"><<a href="mailto:mike@jerris.com" target="_blank">mike@jerris.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word">we will gen whats needed for dtls srtp automatically, you need to provide the cert for wss (same as what you need for tls, as wss is just tls secured ws) It does require the cert and chain. More info:<div><br></div><div><a href="https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates" target="_blank">https://freeswitch.org/<wbr>confluence/display/FREESWITCH/<wbr>WebRTC#WebRTC-<wbr>InstallCertificates</a></div><div><br></div><div>Mike</div><div><div class="gmail-h5"><div><br><div><br><blockquote type="cite"><div>On May 24, 2018, at 12:23 PM, David P <<a href="mailto:davidswalkabout@gmail.com" target="_blank">davidswalkabout@gmail.com</a>> wrote:</div><br class="gmail-m_7432886919037041259Apple-interchange-newline"><div><div dir="auto">Thanks, Mike, I'll try another distro.<div dir="auto"><br></div><div dir="auto">About verto, which I already serve under an AWS free non-exportable cert, does it need the gentls-generated CA root cert somewhere?</div><div dir="auto"><br></div><div dir="auto">And do I need any more steps to secure the streamed media?</div></div></div></blockquote></div></div></div></div></div></blockquote></div><br></div></div></div>