
<div dir="auto">Use debian 8 jessie 64 bit minimal server install</div><br><div class="gmail_quote"><div dir="ltr">On Sun, May 27, 2018, 10:57 David P <<a href="mailto:davidswalkabout@gmail.com">davidswalkabout@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I've tried working through the page you provided, but I've encountered some loose ends. First, in order to use a CA cert, I installed certbot alongside Apache on Ubuntu16.04. This is an AWS EC2, so I don't have many options on which distro I can use. You recommended against Ubuntu; would you elaborate why?<div><br></div><div>This Apache is on the same machine as FS. I no longer serve verto files from Apache (they're now in S3/CloudFront), but I suspect Apache may still be needed to serve the cert for wss. But FS can probably do that itself. Anyway,Â <a href="https://www.ssllabs.com/ssltest/analyze.html?d=my.domain.com" target="_blank" rel="noreferrer">https://www.ssllabs.com/ssltest/analyze.html?d=my.domain.com</a> shows the cert is reachable and valid. On disk, they're at:</div><div><div>/etc/letsencrypt/live/<a href="http://my.domain.com/fullchain.pem" target="_blank" rel="noreferrer">my.domain.com/fullchain.pem</a></div><div>/etc/letsencrypt/live/<a href="http://my.domain.com/privkey.pem" target="_blank" rel="noreferrer">my.domain.com/privkey.pem</a><br></div></div><div><br></div><div>Do these need to be renamed for FS to find them?</div><div><br></div><div><a href="https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates" target="_blank" rel="noreferrer">https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates</a> says I should edit sip_profiles/internal.xml</div><div>so that<br><param name="tls-cert-dir" value="(path to certs)"/><br><param name="wss-binding" value=":7443"/><br></div><div><br></div><div>ShouldÂ 


<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">(path to certs) be replaced withÂ 


<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">/etc/letsencrypt/live/<a href="http://my.domain.com/" target="_blank" rel="noreferrer">my.domain.com/</a> ?</span></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Even though I haven't finished the config above, this test suggests something is working:</span></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></span></div><div><div>sudo /opt/freeswitch/bin/fs_cli -x 'sofia status profile internal' | grep WSS-BIND-URL</div><div>WSS-BIND-URLÂ  Â  Â  Â  Â  Â  sips:mod_sofia@(private EC2 IP):7443;transport=wss</div></div><div><br></div><div>Later steps say to create a wss.pem underÂ Â /usr/local/freeswitch/certs/wss.pem but there is no certs/ after FS install; am I supposed to mkdir it?</div><div><br></div><div>Later steps also say to createÂ Â conf/autoload_configs/verto.conf.xml but there is no conf/ Should I mkdir it?</div><div><br></div><div>


David<br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 24, 2018 at 9:32 AM, Michael Jerris <span dir="ltr"><<a href="mailto:mike@jerris.com" target="_blank" rel="noreferrer">mike@jerris.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word">we will gen whats needed for dtls srtp automatically, you need to provide the cert for wss (same as what you need for tls, as wss is just tls secured ws) Â It does require the cert and chain.Â  More info:<div><br></div><div><a href="https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates" target="_blank" rel="noreferrer">https://freeswitch.org/confluence/display/FREESWITCH/WebRTC#WebRTC-InstallCertificates</a></div><div><br></div><div>Mike</div><div><div class="m_8324956353379871044gmail-h5"><div><br><div><br><blockquote type="cite"><div>On May 24, 2018, at 12:23 PM, David P <<a href="mailto:davidswalkabout@gmail.com" target="_blank" rel="noreferrer">davidswalkabout@gmail.com</a>> wrote:</div><br class="m_8324956353379871044gmail-m_7432886919037041259Apple-interchange-newline"><div><div dir="auto">Thanks, Mike, I'll try another distro.<div dir="auto"><br></div><div dir="auto">About verto, which I already serve under an AWS free non-exportable cert, does it need the gentls-generated CA root cert somewhere?</div><div dir="auto"><br></div><div dir="auto">And do I need any more steps to secure the streamed media?</div></div></div></blockquote></div></div></div></div></div></blockquote></div><br></div></div></div>

_________________________________________________________________________<br>

Professional FreeSWITCH Consulting Services:<br>

<a href="mailto:consulting@freeswitch.org" target="_blank" rel="noreferrer">consulting@freeswitch.org</a><br>

<a href="http://www.freeswitchsolutions.com" rel="noreferrer noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>

<br>

Official FreeSWITCH Sites<br>

<a href="http://www.freeswitch.org" rel="noreferrer noreferrer" target="_blank">http://www.freeswitch.org</a><br>

<a href="http://confluence.freeswitch.org" rel="noreferrer noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>

<a href="http://www.cluecon.com" rel="noreferrer noreferrer" target="_blank">http://www.cluecon.com</a><br>

<br>

FreeSWITCH-users mailing list<br>

<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank" rel="noreferrer">FreeSWITCH-users@lists.freeswitch.org</a><br>

<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>

UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>

<a href="http://www.freeswitch.org" rel="noreferrer noreferrer" target="_blank">http://www.freeswitch.org</a></blockquote></div>