WebPhone rings but can't make call


#1

That’s the output on CLI:

[2018-07-06 13:37:10] ERROR[22458][C-00000025]: res_rtp_asterisk.c:2557 __rtp_recvfrom: DTLS failure occurred on RTP instance '0x7f7bb8089ce0' due to reason 'certificate verify failed', terminating
[2018-07-06 13:37:10] WARNING[22458][C-00000025]: res_rtp_asterisk.c:5310 ast_rtp_read: RTP Read error: Unspecified.  Hanging up.

I’ve put the valid certificate, generated it by letsencrypt. can it be something with openssl? The webphone dials and calls, but when one party attends it logs that error and hangs up.


#2

What is the pjsip.conf or sip.conf configuration for the endpoint?


#3
[99100]
type=endpoint
aors=99100
auth=99100-auth
tos_audio=ef
tos_video=af41
cos_audio=5
cos_video=4
allow=ulaw,alaw,gsm,g726,g722,opus
context=from-internal
callerid=WebRTC Trab01 <99100>
dtmf_mode=rfc4733
mailboxes=99100@device
mwi_subscribe_replaces_unsolicited=yes
aggregate_mwi=yes
use_avpf=yes
rtcp_mux=yes
ice_support=yes
media_use_received_transport=yes
trust_id_inbound=yes
media_encryption=dtls
timers=no
media_encryption_optimistic=no
send_pai=yes
rtp_symmetric=yes
rewrite_contact=yes
force_rport=yes
language=en
media_encryption=dtls
dtls_verify=fingerprint
dtls_cert_file=/etc/asterisk/keys/default.crt
dtls_private_key=/etc/asterisk/keys/default.key
dtls_setup=actpass
dtls_rekey=0

[99101]
type=endpoint
aors=99101
auth=99101-auth
tos_audio=ef
tos_video=af41
cos_audio=5
cos_video=4
allow=ulaw,alaw,gsm,g726,g722,opus
context=from-internal
callerid=WebRTC Leon Lourenço <99101>
dtmf_mode=rfc4733
mailboxes=99101@device
mwi_subscribe_replaces_unsolicited=yes
aggregate_mwi=yes
use_avpf=yes
rtcp_mux=yes
ice_support=yes
media_use_received_transport=yes
trust_id_inbound=yes
media_encryption=dtls
timers=no
media_encryption_optimistic=no
send_pai=yes
rtp_symmetric=yes
rewrite_contact=yes
force_rport=yes
language=en
media_encryption=dtls
dtls_verify=fingerprint
dtls_cert_file=/etc/asterisk/keys/default.crt
dtls_private_key=/etc/asterisk/keys/default.key
dtls_setup=actpass
dtls_rekey=0

[100]
type=endpoint
aors=100
auth=100-auth
tos_audio=ef
tos_video=af41
cos_audio=5
cos_video=4
allow=ulaw,alaw,gsm,g726,g722,opus
context=from-internal
callerid=Caller #01 <100>
dtmf_mode=rfc4733
mailboxes=100@device
mwi_subscribe_replaces_unsolicited=yes
transport=0.0.0.0-wss
aggregate_mwi=yes
use_avpf=yes
rtcp_mux=yes
ice_support=yes
media_use_received_transport=no
trust_id_inbound=yes
media_encryption=no
timers=yes
media_encryption_optimistic=no
send_pai=yes
rtp_symmetric=yes
rewrite_contact=yes
force_rport=yes
language=en
media_encryption=dtls
dtls_verify=certificate
dtls_cert_file=/etc/asterisk/keys/mydns.crt
dtls_private_key=/etc/asterisk/keys/mydns.key
dtls_setup=actpass
dtls_rekey=0

[101]
type=endpoint
aors=101
auth=101-auth
tos_audio=ef
tos_video=af41
cos_audio=5
cos_video=4
allow=ulaw,alaw,gsm,g726,g722,opus
context=from-internal
callerid=Caller #02 <101>
dtmf_mode=rfc4733
transport=0.0.0.0-wss
aggregate_mwi=yes
use_avpf=yes
rtcp_mux=yes
ice_support=yes
media_use_received_transport=no
trust_id_inbound=yes
media_encryption=no
timers=yes
media_encryption_optimistic=no
send_pai=yes
rtp_symmetric=yes
rewrite_contact=yes
force_rport=yes
language=en
media_encryption=dtls
dtls_verify=certificate
dtls_cert_file=/etc/asterisk/keys/mydns.crt
dtls_private_key=/etc/asterisk/keys/mydns.key
dtls_setup=actpass
dtls_rekey=0

[anonymous]
type=endpoint
context=from-sip-external
allow=all
transport=udp,tcp,ws,wss

[dpma_endpoint]
type=endpoint
context=dpma-invalid

I think I realized: Do I have to put the certificate on the 99users as well?

(Can you tell me how Asterisk uses 99 users? I know it’s for the websocket but I do not understand how it uses it)


#4

dtls_verify can’t be set to certificate, or it will fail.


#5

It should use fingerprint?


#6

Yes, the certificate provided by the browser is ephemerally generated. It doesn’t come from the certificate authority and thus can’t be verified.


#7

J, I truly owe you a BIG TIME!