Astrerisk 20 and pjsip and webrtc

Asterisk Asterisk WebRTC
1

Morning Asterisk Community,

I am here today to ask for help to solve a head smashing issue that i cannot solve for the past few months and i tried everything.

Setup:
OS: Fedora 40
Asterisk 20.8.1
Certs: [root@ntn-asterisk-webrtc asterisk]# openssl verify -CAfile /etc/asterisk/keys/ca/ntn-asterisk-webrtc-root-ca.pem /etc/asterisk/keys/certs/ntn-asterisk-webrtc.pem
/etc/asterisk/keys/certs/ntn-asterisk-webrtc.pem: OK

asterisk error: [Jul 3 11:09:54] ERROR[29659]: iostream.c:663 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0)::reason(1), Internal SSL error
[Jul 3 11:09:54] ERROR[29659]: tcptls.c:179 handle_tcptls_connection: Unable to set up ssl connection with peer ‘192.168.55.12:54741’
[Jul 3 11:09:54] ERROR[29659]: iostream.c:563 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0)::reason(1), Internal SSL error

Root CA is installed on client system

PJSIP:
[transport-wss]
type=transport
protocol=wss
bind=0.0.0.0:8089
allow_reload=yes
cert_file=/etc/asterisk/keys/certs/ntn-asterisk-webrtc.pem
priv_key_file=/etc/asterisk/keys/certs/ntn-asterisk-webrtc.pem
method=tlsv1_3

[webrtc_client]
type=aor
max_contacts=5
remove_existing=yes

[webrtc_client]
type=auth
auth_type=userpass
username=webrtc_client
password=webrtc_client

[webrtc_client]
type=endpoint
transport=transport-wss
webrtc=yes
context=parking
disallow=all
allow=iopus
allow=g729
allow=g722
auth=webrtc_client
aors=webrtc_client
callerid=webrtc

netstat -tulpn | grep asterisk
tcp 0 0 0.0.0.0:8088 0.0.0.0:* LISTEN 29516/asterisk
tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN 29516/asterisk
udp 0 0 0.0.0.0:43386 0.0.0.0:* 29516/asterisk
udp 0 0 0.0.0.0:4520 0.0.0.0:* 29516/asterisk
udp 0 0 0.0.0.0:4569 0.0.0.0:* 29516/asterisk
udp 0 0 0.0.0.0:5000 0.0.0.0:* 29516/asterisk
udp 0 0 0.0.0.0:5060 0.0.0.0:* 29516/asterisk

Connected to Asterisk 20.8.1 currently running on ntn-asterisk-webrtc (pid = 29516)
ntn-asterisk-webrtc*CLI> pjsip show transports

Transport: <TransportId…> <BindAddress…>

Transport: transport-udp udp 0 0 0.0.0.0:5060
Transport: transport-ws ws 0 0 0.0.0.0:8088
Transport: transport-wss wss 0 0 0.0.0.0:8089

http.conf

[general]
;
servername=Asterisk

enabled=yes
bindaddr=0.0.0.0
bindport=8088

tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/certs/ntn-asterisk-webrtc.pem
tlsprivatekey=/etc/asterisk/keys/certs/ntn-asterisk-webrtc.pem

so now what am i missing where? Please can anyone help me or point me where to find solutions.

2

You might want to try adding
ca_list_file = /etc/asterisk/keys/ca/ntn-asterisk-webrtc-root-ca.pem
to the transport object and
tlscafile = /etc/asterisk/keys/ca/ntn-asterisk-webrtc-root-ca.pem
to http.conf.

3

They’re the same file!? Normally the cert and key are kept in different files.

4

Good point. Another thing to check are the permissions on the key file. The file must NOT be group or world readable.

5

HI, Thanks. Will try this and let you know.

6

Hi, these are the same file cause the key and crt was catted into the pam file. i will split it again to key and crt file.

7

correct, this is asterisk user readable only. not grouped or world readable.

8

You might want to remove the bind line from pjsip, and instead add

tlsbindaddr=[::]:8089

To http.conf

The port defined in the pjsip configuration, is the port used for SIP, not websocket.

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.