[Freeswitch-users] Curious TLS issue: "tls.pem" file

[Michael Collins]

Okay, that was the clue I needed. I hadn't updated the location in the
vars.xml so it was looking in the wrong place. The right place also hadn't
been set w/ the correct perms. Once I did those two items it all magically
worked.

Many thanks!
-MC

On Thu, Nov 13, 2014 at 5:43 AM, Brian West <brian at freeswitch.org> wrote:

> Its what it will look at if nothing is defined, what exactly have you
> setup so far for TLS?
>
>
> On Wed, Nov 12, 2014 at 9:08 PM, Michael Collins <msc at freeswitch.org>
> wrote:
>
>> Hello all,
>>
>> I have been attempting to set up a CentOS (yeah, I know...) system for a
>> buddy and the TLS on the internal profile is causing a failure. I did a
>> sofia loglevel tport 9 and then loaded the internal profile. I see a
>> curious reference to /usr/conf/ssl/tls.pem:
>>
>> 2014-11-12 18:51:26.223262 [DEBUG] sofia.c:2747 Creating agent for
>> internal
>> tport.c:498 tport_tcreate() tport_create(): 0x7f0cf8046840
>> tport.c:1615 tport_bind_server() tport_bind_server(0x7f0cf8046840) to
>> */EXTERN_IP_ADDR:5060/sip
>> tport.c:1685 tport_bind_server() tport_bind_server(0x7f0cf8046840):
>> calling tport_listen for udp
>> tport.c:621 tport_alloc_primary() tport_alloc_primary(0x7f0cf8046840):
>> new primary tport 0x7f0cf8021be0
>> tport.c:751 tport_listen() tport_listen(0x7f0cf8021be0): listening at
>> udp/EXTERN_IP_ADDR:5060/sip
>> tport.c:1685 tport_bind_server() tport_bind_server(0x7f0cf8046840):
>> calling tport_listen for tcp
>> tport.c:621 tport_alloc_primary() tport_alloc_primary(0x7f0cf8046840):
>> new primary tport 0x7f0cf8070d30
>> tport.c:751 tport_listen() tport_listen(0x7f0cf8070d30): listening at
>> tcp/EXTERN_IP_ADDR:5060/sip
>> tport.c:1615 tport_bind_server() tport_bind_server(0x7f0cf8046840) to
>> tls/EXTERN_IP_ADDR:5061/sips
>> tport.c:1685 tport_bind_server() tport_bind_server(0x7f0cf8046840):
>> calling tport_listen for tls
>> tport.c:621 tport_alloc_primary() tport_alloc_primary(0x7f0cf8046840):
>> new primary tport 0x7f0cf8066c90
>> tport_type_tls.c:239 tport_tls_init_master()
>> tport_tls_init_master(0x7f0cf8066c90): tls key = /usr/conf/ssl/tls.pem
>> tport_tls.c:353 tls_init_context() tls_init_context: invalid local
>> certificate: /usr/conf/ssl/tls.pem
>> tport_tls.c:158 tls_log_errors() tls_init_context: 0200100d:system
>> library:fopen:Permission denied
>> tport_tls.c:158 tls_log_errors() tls_init_context: 20074002:BIO
>> routines:FILE_CTRL:system lib
>> tport_tls.c:158 tls_log_errors() tls_init_context: 140ad002:SSL
>> routines:SSL_CTX_use_certificate_file:system lib
>> tport_tls.c:367 tls_init_context() tls_init_context: invalid private key:
>> /usr/conf/ssl/tls.pem
>> tport_tls.c:158 tls_log_errors() tls_init_context(key): 0200100d:system
>> library:fopen:Permission denied
>> tport_tls.c:158 tls_log_errors() tls_init_context(key): 20074002:BIO
>> routines:FILE_CTRL:system lib
>> tport_tls.c:158 tls_log_errors() tls_init_context(key): 140b0002:SSL
>> routines:SSL_CTX_use_PrivateKey_file:system lib
>> tport_tls.c:379 tls_init_context() tls_init_context: private key does not
>> match the certificate public key
>> tport_tls.c:391 tls_init_context() tls_init_context: error loading CA
>> list: cafile.pem
>> tport_tls.c:158 tls_log_errors() tls_init_context(CA): 140a80b1:SSL
>> routines:SSL_CTX_check_private_key:no certificate assigned
>> tport_tls.c:158 tls_log_errors() tls_init_context(CA): 02001002:system
>> library:fopen:No such file or directory
>> tport_tls.c:158 tls_log_errors() tls_init_context(CA): 2006d080:BIO
>> routines:BIO_new_file:no such file
>> tport_tls.c:158 tls_log_errors() tls_init_context(CA): 0b084002:x509
>> certificate routines:X509_load_cert_crl_file:system lib
>> tport.c:727 tport_listen() tport_listen(0x7f0cf8046840):
>> tls_init_master(pf=2 tls/[EXTERN_IP_ADDR]:5061): Input/output error
>> tport.c:555 tport_destroy() tport_destroy(0x7f0cf8046840)
>> 2014-11-12 18:51:26.223262 [ERR] sofia.c:2847 Error Creating SIP UA for
>> profile: internal (sip:mod_sofia at EXTERN_IP_ADDR:5060;transport=udp,tcp)
>> ATTEMPT 1 (RETRY IN 5 SEC)
>>
>> I can't find any tls.pem file referred to in any config file and a google
>> search of "tls.pem" yields many references to agent.pem, key.pem, foo.pem
>> but never "tls.pem"...
>>
>> The gentls stuff in the wiki all seemed to work as I saw no errors and I
>> got agent.pem and cafile.pem and other miscellaneous files. Any thoughts on
>> this?
>>
>> Thanks!
>> -MC
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
>
> *Brian West*
> brian at freeswitch.org
>
>
> *Twitter: @FreeSWITCH , @briankwest*
> http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com
>
> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20141113/10b900d5/attachment-0001.html