VoIP Mailing List Archives

[thilo at ginkel.com]

Hello everyone,

I am currently struggling to get FreeSWITCH (1.10.5-release-17-25569c1631~64bit) to send the intermediate CA certificate for a Let's Encrypt X.509 certificate to be used for protecting SIPS traffic.


I included the certificate chain in agent.pem:


-- 8< --
-----BEGIN EC PARAMETERS-----
*REDACTED*
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
*REDACTED*
-----END EC PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
*SERVER CERT*
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
*INTERMEDIATE CERT*
-----END CERTIFICATE-----

-- 8< --


Still, clients are complaining about an invalid CA and openssl s_client hints at only the server cert being sent in the server hello.


What did I miss?
Thanks,
Thilo

[gidoramothra at gmail.com]

Hello, I also got certs from let's encrypt, and use a little script to make
freeswitch and the clients (polyphone, linphone, verto communicator)
happy. Just copy the contents of /etc/letsencrypt/live/your.host.name
to /etc/freeswitch/tls (or wherever your installation stores the certs)
and then do the following:

cat fullchain.pem privkey.pem > all.pem
ln -s all.pem tls.pem
ln -s all.pem agent.pem
ln -s all.pem wss.pem
ln -s all.pem dtls-srtp.pem

For me it works without even providing the real root ca cert, but if you
want that too, download it from letsencrypt like so:

wget -O ca.pem https://letsencrypt.org/certs/trustid-x3-root.pem.txt
cat chain.pem ca.pem > cafile.pem

Hope that works for You too. Polycoms need at least ucs v4.0.15 to
accept the letsencrypt certs (as far as I have tested it).

__
s.


On Wed, Mar 24, 2021 at 11:40:30AM +0100, Thilo-Alexander Ginkel wrote: