WebRTC tls cannot bound

Hi, i am trying to bound tls rtc, but i am not able to do it. I tried many configs, ports and permissions but it still dont work…
There is some screenshots, can anyone help? Thanks!

Please provide the relevant asterisk logs, from /var/log/asterisk, not from a screenscrape, and as text copied and pasted as text, inline, and marked up as pre-formatted text.

However, although I don’t know if this is actually the case, I would hope that OpenSSL would refuse to use the key material you have provided, because the file permissions mean it could have been compromised.

So I found this in log.

[Jun  2 14:34:25] e[1;31mERRORe[0m[53412]: e[1;37mrtp_engine.ce[0m:e[1;37m3019e[0m e[1;37mast_rtp_dtls_cfg_parsee[0m: dtlscertfile file /etc/letsencrypt/live/sip.skunks.cz/cert.pem does not exist or is not readable

but i dont know how repair it, because i’m sure that path is right and permission should be too

Lol, in my http.conf is this path

tlscertfile=/etc/asterisk/keys/cert.pem
tlsprivatekey=/etc/asterisk/keys/privkey.pem

but when i run asterisk it take path that i post before in log… How?

DTLS configuration is done in the channel driver, and is used for the media encryption.

Sorry, what is channel driver?

Channel driver refers to chan_sip or chan_pjsip.

but I still don’t understand why an asterisk completes my old path

[Jun  2 14:34:25] e[1;31mERRORe[0m[53412]: e[1;37mrtp_engine.ce[0m:e[1;37m3019e[0m e[1;37mast_rtp_dtls_cfg_parsee[0m: dtlscertfile file /etc/letsencrypt/live/sip.skunks.cz/cert.pem does not exist or is not readable

when it’s already new in config

/etc/asterisk/keys/cert.pem

atleast it should throw error with this new path.
I dont get it

As I stated, DTLS is separate from the configuration in http.conf. The http.conf controls the HTTPS server, which is used for the websocket. DTLS is used for the media negotiation during calls and is separately configured. I don’t know which channel driver you are using but sip.conf is used for chan_sip, and pjsip.conf for chan_pjsip. You could also use grep to find where that is referenced in any of the files.

ok, so i repaired path, but https still didn’t bound… there is all starup log, do you see any problem with https?

PS: Sorry, its too long to put it here, so i had to upload it

Have you confirmed by using something like telnet that the port is actually closed? If so, you may also need to enable the HTTP server portion as well - the code may not allow just TLS.

chmod your cert dir with 744

so telnet show that port is used by asterisk:

tcp        0      0 0.0.0.0:8089            0.0.0.0:*               LISTEN      75320/asterisk

but http show status still show this:

Asterisk-SIPServer*CLI> http show status
HTTP Server Status:
Prefix:
Server: Asterisk/16.2.1~dfsg-2ubuntu1
Server Disabled

Enabled URI's:
/httpstatus => Asterisk HTTP General Status
/phoneprov/... => Asterisk HTTP Phone Provisioning Tool
/static/... => Asterisk HTTP Static Delivery
/ari/... => Asterisk RESTful API
/ws => Asterisk HTTP WebSocket

Enabled Redirects:
  None.

The code doesn’t take into account, for that command, TLS enabled but normal HTTP not. It’s cosmetic, the port is still open and listening.

So should i try to turn on even normal http ?

You can and it should then say that both are listening. This is cosmetic though, and based on what you’ve provided the port is listening regardless. If you’re having problems connecting to it over HTTPS then you’d need to show that and not the http status output.

Ok, now is finally https bound, thanks! but now my console spam this


[Jun  3 14:05:42] NOTICE[76122][C-00000001]: chan_sip.c:26601 handle_request_invite: Failed to authenticate device <sip:801@167.172.167.91>;tag=1575092275
[Jun  3 14:05:58] WARNING[76151]: res_http_websocket.c:791 __ast_websocket_uri_cb: WebSocket connection from '84.242.72.181:49840' could not be accepted - did                                                     not request WebSocket
[Jun  3 14:06:05] ERROR[76155]: iostream.c:633 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SS                                                    L error
[Jun  3 14:06:05] ERROR[76155]: iostream.c:538 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Jun  3 14:06:06] ERROR[76156]: iostream.c:633 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SS                                                    L error
[Jun  3 14:06:06] ERROR[76156]: iostream.c:538 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Jun  3 14:06:06] ERROR[76157]: iostream.c:633 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SS                                                    L error
[Jun  3 14:06:06] ERROR[76157]: iostream.c:538 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Jun  3 14:06:06] ERROR[76158]: iostream.c:633 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SS                                                    L error
[Jun  3 14:06:06] ERROR[76158]: iostream.c:538 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Jun  3 14:06:11] ERROR[76159]: iostream.c:633 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SS  

what does it mean?