So close - but can't get past SSL errors #442
Replies: 4 comments 5 replies
-
|
Update: I've now gotten past the SSL error. I had not imported the PEM file previously. I also added a SAN with ip.1. Not sure which did it but now chrome accepts the cert. New problem is that I'm seeing on the asterisk side iostream.c:240 TLS timeout reading data followed by http closing the connection. On the client side, I'm seeing websocket failure to connect errors (websocket failure, websocket closed, reconnect attempt and cycle continues) |
Beta Was this translation helpful? Give feedback.
-
|
When you're first attempt failed, did you just do the certificate steps again, or the whole install proces again? I'm also having issues. |
Beta Was this translation helpful? Give feedback.
-
|
Could you eleborate on 'importing' the pem file? Anything I missed? And if it can help, perhaps also explain how you added a SAN with ip.1? Still no luck here. |
Beta Was this translation helpful? Give feedback.
-
|
After doing everything on a mac, everything went as it should. https connection, huray. |
Beta Was this translation helpful? Give feedback.
-
|
Here's what shows on the Chrome side Mon Feb 27 2023 15:15:33 GMT-0800 (Pacific Standard Time) | sip.Transport | WebSocket closed wss://192.168.7.15:4443/ws (code: 1006) |
Beta Was this translation helpful? Give feedback.
-
|
WebRTC is NOT possible without using fully qualified domain names. This is because you have to reach the Asterisk Server via secure connection, and this is only possible with a common name on the certificate that matches the destination of the server. This was the point of making the certificate authority. This You may also get The common name of the certificate is matched to the URL of the server you are reaching. If you are using something like Let's Encrypt, there is a bot that can install and maintain a certificate for you - but this again only works if you can prove control over the domain of the common name that they assign to the certificate. If you are doing lab work, then a way to eliminate the need for a fully qualified domain name, is to use a .local address - the problem here is that no company will issue you with a certificate pointing to .local so your only choice here is to authorise your self. You can make up your own host names, since you will be signing your own certificates. Remember a few years ago, Chrome stopped allowing a self-signed certificate, and now require you to add your own self-signed CA certificate to the server. The steps are detailed here: This certificate does still require that you make use of fully qualified domains names tho... so when in the instructions, you are asked for Common Name (CN), you must answer with something that will resolve to your server. As you saw in my video's raspberrypi.local is a domain name system that's already established as part of the Raspberry Pi system... so what if you are not using a raspberry pi? Lets say you have a local server at 192.168.7.15, then you will have to make a manual host name entry either in your PC or a common DNS server, that points a request to this address. Make up any name If you can achieve this - then you a re good to go ahead with the certificate, but now when asked for the Common Name, you enter asteriskserver1.com, then when serving the certificate from that asterisk server, and browsing the page (with the CA installed), you should be able to reach the server over ssl https://http://asteriskserver1.com. Then the dame rules apply for the "Secure WebSocket Server" field in the phone settings. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you Conrad. I'm working through your recommendations. It's not quite working and I need to fool around with it a bit more before I report back. |
Beta Was this translation helpful? Give feedback.
-
|
This is obviously a typo in my post above, and of course would be: |
Beta Was this translation helpful? Give feedback.
-
|
Success! - Thanks for the help. The additional direction was just what I needed to zero in on the proper configuration. I'm now able to make calls between clients and now I'm moving on to figure out how to integrate the parts of my application. I'm building a web-based app for my home that streams live video from a security camera, allows for communication through this client to a pots connection and also allows me to initiate some home-automation actions. This wouldn't be possible without this project and all your work. Thank you. Thank you. Thank you! This is quite an amazing piece of work. Charlie O |
Beta Was this translation helpful? Give feedback.
-
I'm loving this project. I've been able to successfully build and get the UI to display and operate on a client (Windows / Chrome). I can create an account and then the dialer comes up with the client reporting that it's "connecting to web socket..." but never gets connected...
...because, I cannot get past some SSL errors and could use some advice. I'm operating entirely on my private network with the self-signed cert per instructions. I've used the literal values that are there, with the exception that rather than "none" for those values, I've just hit enter and I've used my own email address. I'm assuming this is as intended although I did try using all my own values (local/private IP) but that did not solve anything.
As one clue, I note that raspberrypi.local does not work on the client or on a browser on the RPI. I do see in the browser/manage certs that org-innovate asterisk is there. Since that doesn't work, I just use the private IP address of RPI as part of the URI.
On the Windows client, I've installed the InnovateAsterisk-Root-CA.crt file as trusted root certification authority (using the mmc facility) for the user and the computer. Windows reports that the certificate is OK (both). I notice that the user one is editable but not the one for the local computer.
When I check Chrome / Manage certificates, they are there (twice) and named as Innovate Asterisk Root CA. However, Chrome complains that the certificate is invalid although in the developer tools window it says "this site is missing a trusted valid certificate" and ERR_CERT_COMMON_NAME_INVALID. I also tried adding the cert again through chrome. No difference.
On the Asterisk side, I see these errors:
ERROR[1394]: iostream.c:647 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[2023-02-26 23:28:42] ERROR[1394]: tcptls.c:179 handle_tcptls_connection: Unable to set up ssl connection with peer '192.168.5.64:50244'
[2023-02-26 23:28:42] ERROR[1394]: iostream.c:552 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[2023-02-26 23:28:42] ERROR[1395]: iostream.c:647 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[2023-02-26 23:28:42] ERROR[1395]: tcptls.c:179 handle_tcptls_connection: Unable to set up ssl connection with peer '192.168.5.64:50245'
[2023-02-26 23:28:42] ERROR[1395]: iostream.c:552 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error
Perhaps I'm missing a part of the SSL setup on the RPI?
I tried adding the server's private IP as a SAN labeled DNS.2 but that didn't seem to change anything.
I've also tried using the client that's hosted on innovateasterisk. In this case, chrome seems happy with the certificate however, I still see the same errors below in the chrome developer console and asterisk is reporting the same internal SSL errors:
sip-0.20.0.min.js:2 WebSocket connection to 'wss://192.168.7.15:4443/ws' failed:
_connect @ sip-0.20.0.min.js:2
connect @ sip-0.20.0.min.js:2
(anonymous) @ sip-0.20.0.min.js:2
sip-0.20.0.min.js:2 Mon Feb 27 2023 00:08:35 GMT-0800 (Pacific Standard Time) | sip.Transport | WebSocket error occurred.
print @ sip-0.20.0.min.js:2
genericLog @ sip-0.20.0.min.js:2
genericLog @ sip-0.20.0.min.js:2
error @ sip-0.20.0.min.js:2
onWebSocketError @ sip-0.20.0.min.js:2
(anonymous) @ sip-0.20.0.min.js:2
error (async)
_connect @ sip-0.20.0.min.js:2
connect @ sip-0.20.0.min.js:2
(anonymous) @ sip-0.20.0.min.js:2
sip-0.20.0.min.js:2 Mon Feb 27 2023 00:08:35 GMT-0800 (Pacific Standard Time) | sip.Transport | WebSocket closed unexpectedly
print @ sip-0.20.0.min.js:2
genericLog @ sip-0.20.0.min.js:2
genericLog @ sip-0.20.0.min.js:2
warn @ sip-0.20.0.min.js:2
onWebSocketClose @ sip-0.20.0.min.js:2
(anonymous) @ sip-0.20.0.min.js:2
sip-0.20.0.min.js:2 Mon Feb 27 2023 00:08:35 GMT-0800 (Pacific Standard Time) | sip.Transport | WebSocket closed wss://192.168.7.15:4443/ws (code: 1006)
sip-0.20.0.min.js:2 Mon Feb 27 2023 00:08:35 GMT-0800 (Pacific Standard Time) | sip.Transport | Transitioned from Connecting to Disconnected
phone.js:1979 Failed to reconnect Error: WebSocket closed wss://192.168.7.15:4443/ws (code: 1006)
at at.onWebSocketClose (sip-0.20.0.min.js:2:226066)
at WebSocket. (sip-0.20.0.min.js:2:223454)
Finally, netstat -tulpn reports port 443 open but I don't see 4443. I notice that I have to use 4443 in the account registration on the client (my local one or the innovateasterisk hosted one) or the registration fails. I don't get that.
Obviously many restarts of client and server post reconfigs. Many repeats of the process. I'm not sure if the problem is on client on server or both.
I really don't want to create a public domain for this project and go the LetsEncrypt route and I'm guessing that I'm overlooking something obvious.
I hope I've supplied enough clues for some advice.
Thanks in advance.
Charlie O.
Beta Was this translation helpful? Give feedback.
All reactions