[OpenSIPS-Users] ERROR:tls_mgm:load_certificate: unable to load certificate

Mikhail forfx at yandex.ru
Mon Apr 29 07:21:51 EDT 2019 

Hello,

I have a problem with wss set up.

My steps:
set up centos 7
install opensips 2.4.5 from yum repo
install nginx and create certificate with letsencript
certbot certonly --standalone --agree-tos --email myemail at mysite.com 
<mailto:myemail at mysite.com> --webroot -w /opt/www/ws -d ws.mysite.com

then I have 4 files in /etc/letsencrypt/live/ws.mysite.com
cert.pem chain.pem fullchain.pem privkey.pem

in opensips.cfg i added
listen=ws:ws.mysite.com:8088
listen=wss:ws.mysite.com:8443
loadmodule "proto_wss.so"
loadmodule "proto_ws.so"
loadmodule "proto_tls.so"
loadmodule "tls_mgm.so"
modparam("tls_mgm", 
"certificate","/etc/letsencrypt/live/ws.mysite.com/fullchain.pem")
modparam("tls_mgm", 
"private_key","/etc/letsencrypt/live/ws.mysite.com/privkey.pem")
modparam("tls_mgm", "verify_cert", "0")
modparam("tls_mgm", "require_cert", "0")

when I restart opensips it fails with messages

Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:mod_init: 
initializing TLS management
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:mod_init: 
openssl version: OpenSSL 1.0.2k-fips 26 Jan 2017
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: INFO:tls_mgm:mod_init: 
disabling compression due ZLIB problems
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: 
INFO:tls_mgm:check_for_krb: KRB5 cipher KRB5-IDEA-CBC-SHA found
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: 
INFO:tls_mgm:init_tls_dom: Processing TLS domain 'default'
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: 
INFO:tls_mgm:init_ssl_ctx_behavior: client verification NOT activated. 
Weaker security.
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: 
ERROR:tls_mgm:load_certificate: unable to load certificate file 
'/etc/letsencrypt/live/ws.mysite.com/fullchain.pem'
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: 
ERROR:tls_mgm:init_tls_domains: Failed to init TLS domain 'default'
Apr 29 13:37:15 doc-01 /usr/sbin/opensips[14329]: ERROR:core:init_mod: 
failed to initialize module tls_mgm

I tried different combitations of tls_mgm params - verify_cert 
require_cert tls_method without success,
by the way I found that tls_mgm dos'n know SSLv2 and SSLv3 - 
tls_methods: ERROR:tls_mgm:tlsp_set_method: unsupported method [SSLv2], 
but they are in doc at 
https://opensips.org/html/docs/modules/2.2.x/tls_mgm.html#idp169376

I tried to make custom serificates according to 
https://www.opensips.org/Documentation/Tutorials-TLS-2-2 with no luck
#modparam("tls_mgm", "certificate", "/root/tls_cnf/tls/user/user-cert.pem")
#modparam("tls_mgm", "private_key", 
"/root/tls_cnf/tls/user/user-privkey.pem")
#modparam("tls_mgm", "ca_list", "/root/tls_cnf/tls/user/user-calist.pem")

and I tried built in sertificats:
#modparam("tls_mgm", "certificate", "/etc/opensips/tls/user/user-cert.pem")
#modparam("tls_mgm", "private_key", 
"/etc/opensips/tls/user/user-privkey.pem")
#modparam("tls_mgm", "ca_list", "/etc/opensips/tls/user/user-calist.pem")
and with them opensips starts successfully, but webrtc clients based on 
jsip and sip.js libs can't connect:
opensips.log:
/usr/sbin/opensips[30683]: ERROR:proto_wss:tls_accept: New TLS 
connection from 111.111.111.111:41720 failed to accept
/usr/sbin/opensips[30683]: ERROR:proto_wss:tls_print_errstack: TLS 
errstack: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert 
certificate unknown
/usr/sbin/opensips[30683]: ERROR:proto_wss:wss_read_req: cannot fix read 
connection

latest google chrome (74.0.3729.108) log:
sip-0.13.8.js:26437 WebSocket connection to 'wss://ws.mysite.com:8443/' 
failed: Error in connection establishment: net::ERR_CERT_AUTHORITY_INVALID

I looked into sources and found that tls_mgm just calls openssl funcion 
SSL_CTX_use_certificate_chain_file so it looks like that problem is in 
openssl, but openssl is the latest from repo - OpenSSL 1.0.2k-fips
I tested serts with
openssl x509 -in /etc/letsencrypt/live/ws.mysite.com/fullchain.pem -text
and see no problem
I set up https site and browsers open it and show cert as ok.

so what is the difference between built in and letsencript certificates?
and how to solve the problem - this is the question.

Laba Mikhail

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190429/1868d371/attachment-0001.html>

More information about the Users mailing list