Telcobridges - Session Border Controllers
Would you like to react to this message? Create an account in a few clicks or log in to continue.

SIP TLS using LetsEncrypt

Go down

SIP TLS using LetsEncrypt Empty SIP TLS using LetsEncrypt

Post by jmross on Fri Aug 14, 2020 4:52 pm

Hi,

I'm having trouble setting up a SIP TLS profile so that remote clients can connect to the SBC using TLS. Do you know if it is possible to use Let's Encrypt?

I see the message 'Could not initialize SSL context' when activating the configuration.

I have tried using the Let's Encrypt certificates from https://letsencrypt.org/certificates/ by adding the root certificate as Trusted and added the Intermediated certificates. I also copied the contents of cert.pem for my domain generated by the Let's Encrypt command line tool as an Intermediate certificate. I then added all of those to the Trusted Certificates option in the TLS profile. Is this correct?


Thanks



jmross

Number of Messages : 9
Point : 19
Registration Date : 2020-03-06

Back to top Go down

SIP TLS using LetsEncrypt Empty Re: SIP TLS using LetsEncrypt

Post by lmorissette on Fri Aug 14, 2020 5:11 pm

While I have not tried the Let's Encrypt certificates, it should work - maybe someone else from the community has tried it?

Instructions to setup TLS are here:
https://docs.telcobridges.com/tbwiki/Toolpack:Tsbc_Protocol_Stack_Settings_3.1

There is also a video on this that could help. You can find it here: http://www.prosbc.com, then select support -> Video library

If you still cannot figure it out, please contact us again.

lmorissette

Number of Messages : 18
Point : 34
Registration Date : 2017-11-27

Back to top Go down

SIP TLS using LetsEncrypt Empty Re: SIP TLS using LetsEncrypt

Post by jmross on Mon Aug 17, 2020 4:31 pm

I've read those instructions and watched the videos on the Telcobridges YouTube channel. The examples there are more for connecting to another server as a client using TLS where I want to accept registrations over TLS and forward them to Asterisk.

Suddenly, that error went away though. Looking at the log under /log_actions, I didn't change anything between activating the configuration. Maybe I modified the private key on the file system, but I'm not sure. I was even getting it using the 'Default' local certificate in the TLS profile.

Anyway, I got it working after a lot of trial and error. Here are my steps if it helps anyone:

I entered the certificate generated by Let's Encrypt (cert.pem) of type Local into FreeSBC.

I copied the private key (privkey.pem) to /lib/tb/toolpack/pkg/ssl_certificate after converting the private key to RSA format (openssl rsa -in privkey.pem -out rsa.key). This file has to have the same name as the Local certificate with '.key' appended to it (ie. If the certificate is named 'domain', the key is named 'domain.key').

I then had to add the two intermediate certificates from https://letsencrypt.org/certificates/:

Let’s Encrypt Authority X3 (IdenTrust cross-signed)
Let’s Encrypt Authority X3 (Signed by ISRG Root X1)

as Intermediate certificates in FreeSBC.

Then create/edit the TLS profile and disable "Require peer authentication". Choose the local certificate as the Local certificate you copied from cert.pem. Then add the two intermediate certificates from Let's Encrypt to the Trusted Certificates in the TLS profile.

Thanks


Edit: Alternatively, you could just put the contents of chain.pem into an Intermediate certificate on FreeSBC then add that to the trusted certificates for the profile instead of using the certificates from https://letsencrypt.org/certificates

jmross

Number of Messages : 9
Point : 19
Registration Date : 2020-03-06

Back to top Go down

Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum