Let’s Encrypt Privkey : Specified Certificate File Could Not Be Used
Hello
I get the following error when using our Let’s Encrypt ssl certificate for webRTC calls :
[Jun 2 14:29:28] == DTLS ECDH initialized (secp256r1), faster PFS enabled
[Jun 2 14:29:28] ERROR[27360][C-00000ae5]: res_rtp_asterisk.c:1441
ast_rtp_dtls_set_configuration: Specified certificate file
‘/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem’ for RTP instance
‘0x7f920c538a78’ could not be used
[Jun 2 14:29:28] ERROR[27360][C-00000ae5]: chan_sip.c:5941
dialog_initialize_dtls_srtp: Attempted to set an invalid DTLS-SRTP
configuration on RTP instance ‘0x7f920c538a78’
(ws.mydomain.tld is of course masked)
Any idea why Asterisk has a problem with the certificate ?
Kind regards.
3 thoughts on - Let’s Encrypt Privkey : Specified Certificate File Could Not Be Used
What size is the privatekey? There is a script to create cert for asterisk:
https://github.com/asterisk/asterisk/blob/master/contrib/scripts/ast_tls_cert It create a 1024b keypair, maybe for a good reason. Certbot its size is
2048 by default. Try adding –rsa-key-size 1024 (our signing a
“handcrafted” key)
JK> [Jun 2 14:29:28] ERROR[27360][C-00000ae5]: res_rtp_asterisk.c:1441
JK> ast_rtp_dtls_set_configuration: Specified certificate file JK> ‘/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem’ for RTP instance JK> ‘0x7f920c538a78’ could not be used
That error means that openssl’s SSL_CTX_use_certificate_file() returned an error.
The later error is just a result of that one.
Does the uid/gid used for asterisk have access to the key?
If the uid you use for asterisk is called asterisk, run this as root:
su -c ‘cat /etc/letsencrypt/live/ws.mydomain.tld/privkey.pem’ – asterisk
If it fails, then the problem is permissions.
You may need to alter the permissions on /etc/letsencrypt to allow non-root uids to access the symlinks and their targets.
-JimC
Hello James
I am running asterisk as root, just to ‘disable’ all issues related to file rights. So this should not be the problem.
Kind regards.
Op 03-06-17 om 08:09 schreef James Cloos: