[Freeswitch-users] tls with letsencrypt

ITwrx.org info at itwrx.org
Fri Jan 6 21:19:05 MSK 2017


Thanks for everyone's input. i ended up concatenating the cert, the
intermediate cert and the key from letsencrypt as tls.pem and i can
register and make calls with linphone desktop client over tls. Before, i
had the cert and the intermediate cert concatenated as tls.pem. :)

csipsimple still causes the "dh_lib" error, however. Is this caused by a
cipher suite mismatch between freeswitch and csipsimple? or something else?

thanks.

On 01/06/2017 04:58 AM, Mirko Brankovic wrote:
> Hey,
> All I had to do to get it work is to place cert and key in one pem
> file for FS, so like:
> cat /etc/letsencrypt/live/${domain}/cert.pem
> /etc/letsencrypt/live/${domain}/privkey.pem >
> /usr/local/freeswitch/certs/wss.pem
>
> On Fri, Jan 6, 2017 at 3:24 AM, ITwrx.org <info at itwrx.org
> <mailto:info at itwrx.org>> wrote:
>
>     dtls-srtp.pem,
>     tls.pem(the "stand in" i previously described),
>     and the original (could be from my old server where i set up tls
>     following the freeswitch wiki) tls.pem which has been renamed to
>     tls.pem.orig.
>
>
>     On 01/05/2017 06:43 PM, Brian West wrote:
>>     There is a lot more to it than that, what files are in that tls
>>     folder?
>>
>>     On Thu, Jan 5, 2017 at 4:53 PM, ITwrx.org <info at itwrx.org
>>     <mailto:info at itwrx.org>> wrote:
>>
>>         i just copied the pem formatted cert that certbot generated
>>         to /etc/freeswitch/tls and named it tls.pem. it's
>>         freeswitch:freeswitch 660 for perms. freeswitch seems capable
>>         of reading it, as the tls enabled profile starts up. i only
>>         get an error in fs_cli when the csipsimple client tries to
>>         connect using tls.
>>
>>         thanks
>>
>>
>>         On 01/05/2017 04:36 PM, Brian West wrote:
>>>         How did you format the cert? and in what files did you put
>>>         them in? and are your permissions correct on those files?
>>>
>>>         On Thu, Jan 5, 2017 at 2:55 PM, ITwrx.org <info at itwrx.org
>>>         <mailto:info at itwrx.org>> wrote:
>>>
>>>             hi,
>>>
>>>             i'm trying to use a letsencrypt generated cert with
>>>             freeswitch but am
>>>             not sure how to proceed. I've read the old and new wiki
>>>             posts concerning
>>>             tls but they don't seem to cover my exact scenario. It
>>>             seems to me that
>>>             freeswitch is looking into the configured "tls-cert-dir"
>>>             for the
>>>             hardcoded filename tls.pem and is expecting that a self
>>>             generated ca has
>>>             signed it. i have placed the fullchain.pem in that
>>>             directory (generated
>>>             with certbot) and have renamed it tls.pem but i guess
>>>             it's not finding
>>>             the CA sig it expects(?) as i'm getting:
>>>
>>>             tport_tls.c:1044 tls_connect()
>>>             tls_connect(0x373c000e8d0): TLS setup
>>>             failed (error:00000005:lib(0):func(0):DH lib)
>>>
>>>             when trying to connect with csipsimple from phone. I
>>>             would like to avoid
>>>             generating client certs signed by a custom CA where
>>>             users have to copy
>>>             the client cert and ca cert to their device as it adds
>>>             complexity and
>>>             problems. Is there a workaround or suggested method for
>>>             using a
>>>             letsencrypt cert with freeswitch so that clients like
>>>             csipsimple can
>>>             just validate against their built-in CA store?
>>>
>>>             thanks in advance,
>>>             ITwrx
>>>
>>>             --
>>>             Information Technology Works
>>>             https://ITwrx.org
>>>             @ITwrxorg
>>>
>>>
>>>             _________________________________________________________________________
>>>             Professional FreeSWITCH Consulting Services:
>>>             consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>             http://www.freeswitchsolutions.com
>>>             <http://www.freeswitchsolutions.com>
>>>
>>>             Official FreeSWITCH Sites
>>>             http://www.freeswitch.org
>>>             http://confluence.freeswitch.org
>>>             <http://confluence.freeswitch.org>
>>>             http://www.cluecon.com
>>>
>>>             FreeSWITCH-users mailing list
>>>             FreeSWITCH-users at lists.freeswitch.org
>>>             <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>             http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>             <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>             UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>             <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>             http://www.freeswitch.org
>>>
>>>
>>>
>>>
>>>         -- 
>>>
>>>         */Brian West/*
>>>         brian at freeswitch.org <mailto:brian at freeswitch.org>
>>>
>>>
>>>         */Twitter: @FreeSWITCH , @briankwest/*
>>>         http://www.freeswitchbook.com 
>>>         http://www.freeswitchcookbook.com
>>>         <http://www.freeswitchcookbook.com>
>>>         https://www.gofundme.com/freeswitch_ubuntu
>>>         <https://www.gofundme.com/freeswitch_ubuntu>
>>>
>>>         Got Bugs? Report them here <https://freeswitch.org/jira>! |
>>>         Reddit: /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>
>>>         *T:*+19184209001 <tel:%28918%29%20420-9001> |
>>>         *F:*+19184209002 <tel:%28918%29%20420-9002> |
>>>         *M:*+1918424WEST (9378)
>>>         *Skype:*briankwest
>>>
>>>
>>>
>>>         _________________________________________________________________________
>>>         Professional FreeSWITCH Consulting Services: 
>>>         consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>         http://www.freeswitchsolutions.com
>>>         <http://www.freeswitchsolutions.com>
>>>
>>>         Official FreeSWITCH Sites
>>>         http://www.freeswitch.org
>>>         http://confluence.freeswitch.org
>>>         <http://confluence.freeswitch.org>
>>>         http://www.cluecon.com
>>>
>>>         FreeSWITCH-users mailing list
>>>         FreeSWITCH-users at lists.freeswitch.org
>>>         <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>         http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>         <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>         UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>         <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>         http://www.freeswitch.org
>>
>>         -- 
>>         Information Technology Works
>>         https://ITwrx.org
>>         @ITwrxorg
>>
>>         _________________________________________________________________________
>>         Professional FreeSWITCH Consulting Services:
>>         consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>         http://www.freeswitchsolutions.com
>>         <http://www.freeswitchsolutions.com> Official FreeSWITCH
>>         Sites http://www.freeswitch.org
>>         http://confluence.freeswitch.org
>>         <http://confluence.freeswitch.org> http://www.cluecon.com
>>         FreeSWITCH-users mailing list
>>         FreeSWITCH-users at lists.freeswitch.org
>>         <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>         http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>         <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>         UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>         <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>         http://www.freeswitch.org 
>>
>>     -- 
>>
>>     */Brian West/* brian at freeswitch.org <mailto:brian at freeswitch.org>
>>
>>     */Twitter: @FreeSWITCH , @briankwest/*
>>     http://www.freeswitchbook.com  http://www.freeswitchcookbook.com
>>     <http://www.freeswitchcookbook.com>https://www.gofundme.com/freeswitch_ubuntu
>>     <https://www.gofundme.com/freeswitch_ubuntu>
>>
>>     Got Bugs? Report them here <https://freeswitch.org/jira>! |
>>     Reddit: /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>
>>     *T:*+19184209001 <tel:+1%20918-420-9001> | *F:*+19184209002
>>     <tel:+1%20918-420-9002> | *M:*+1918424WEST (9378) *Skype:*briankwest
>>
>>     _________________________________________________________________________
>>     Professional FreeSWITCH Consulting Services: 
>>     consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>     http://www.freeswitchsolutions.com
>>     <http://www.freeswitchsolutions.com>
>>
>>     Official FreeSWITCH Sites
>>     http://www.freeswitch.org
>>     http://confluence.freeswitch.org <http://confluence.freeswitch.org>
>>     http://www.cluecon.com
>>
>>     FreeSWITCH-users mailing list
>>     FreeSWITCH-users at lists.freeswitch.org
>>     <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>     <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>     <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>     http://www.freeswitch.org
>
>     -- 
>     Information Technology Works
>     https://ITwrx.org
>     @ITwrxorg
>
>     _________________________________________________________________________
>     Professional FreeSWITCH Consulting Services:
>     consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>     http://www.freeswitchsolutions.com
>     <http://www.freeswitchsolutions.com> Official FreeSWITCH Sites
>     http://www.freeswitch.org http://confluence.freeswitch.org
>     <http://confluence.freeswitch.org> http://www.cluecon.com
>     FreeSWITCH-users mailing list
>     FreeSWITCH-users at lists.freeswitch.org
>     <mailto:FreeSWITCH-users at lists.freeswitch.org>
>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>     <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>     <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>     http://www.freeswitch.org 
>
> -- 
> Regards,
> Mirko
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services: 
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-- 
Information Technology Works
https://ITwrx.org
@ITwrxorg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20170106/43b3611e/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list