Project

General

Profile

Issue with SSL certificate and WebRTC client

Added by Zimo Call about 1 month ago

Hi Team,

I followed all the steps to install from scratch GoAutodial V4, there was no issues on the installation.
I installed all with FQDN configuration, checked Kamailio, rtpEngine and Asterisk all are running and I can see Kamailio as SIP peer on Asterisk.
After checking that all is running well, I installed a letsEncrypt SSL certificate I have no issue with it on the web interface.
I have assigned this certicate to the Kamailio tls.conf like that :
[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/myFQDN/privkey.pem
certificate = /etc/letsencrypt/live/myFQDN/cert.pem

I restarted Kamailio without issue, Satus is Running

But when I create a new user+Phone and I try to login with the WebRTC client on the web interface. The app is loading without login.
When I check logs on my browser I see an SSL issue : "SSL_ERROR_UNSUPPORTED_VERSION"

And on Kamailio I see the following message : "TLS accept:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version"

Is there a place to add the certificate on the Web App folder ?

Thanks in advance !


Replies (4)

RE: Issue with SSL certificate and WebRTC client - Added by Wittie Manansala about 1 month ago

Hi,

Hope the following may help you:

1. yum install certbot -y

2. sudo certbot --apache -d dialer.company.com

3. Sample Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dialer.company.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/company-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/company-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 (ni-press ko 2)
Redirecting vhost in /etc/httpd/conf.d/company.conf to ssl vhost in /etc/httpd/conf.d/company-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://dialer.company.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=dialer.company.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/dialer.company.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/dialer.company.com/privkey.pem
   Your cert will expire on 2020-01-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew" 
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
4. Set Permissions:

chmod 755 /etc/letsencrypt/archive/
chmod 755 /etc/letsencrypt/live
chmod 644 /etc/letsencrypt/live/dialer.company.com/privkey.pem
5. Edit /etc/kamailio/tls.cfg

Set the following:
private_key = /etc/letsencrypt/live/dialer.company.com/privkey.pem
certificate = /etc/letsencrypt/live/dialer.company.com/cert.pem 
6. systemctl httpd restart
5. systemctl kamailio restart

7. Let’s Encrypt recommends the automatic renew cronjob to run twice a day, to do that add the following line and then save and exit the crontab:

#automatic renew cronjob to run twice a day
* */12 * * * /usr/bin/certbot renew >/dev/null 2>&1

Thanks

RE: Issue with SSL certificate and WebRTC client - Added by Zimo Call about 1 month ago

Hi Wittie,

Thanks for you help, I already created the certificate like you recommand.
But as you see it's like Kamailio or openSSL not support the TLS version

RE: Issue with SSL certificate and WebRTC client - Added by Zimo Call about 1 month ago

Hi team,

I resolved it by changing on the file /etc/kamailio/tls.conf the tls method :
[server:default]
method = TLSv1+

Now it works well !

RE: Issue with SSL certificate and WebRTC client - Added by Demian Lizandro Biscocho about 1 month ago

Great to hear you resolved this by yourself.

    (1-4/4)
    Go to top