HTTPS/WSS WebSockets doesn't works with Let's Encrypt Certificates (tested on FOP2 2.31.33)

Hi,

I configured ssl certificates (Let's Encrypt Certificates) files into fop2.cfg with the same paths used into Apache webserver:

ssl_certificate_file=/etc/asterisk/keys/default.crt
ssl_certificate_key_file=/etc/asterisk/keys/default.key

the https page of freepbx works good, but when connecting to FOP2 I get in the Browser console these errors:

WebSocket connection to 'wss://pbx.example.com:4445/' failed:

Looking deeper I see that the private key is in EC (Elliptic Curve) format and not RSA.

Is the secp384r1 private key supported by FOP2?

Follow some details of private key:

# openssl asn1parse -in /etc/asterisk/keys/default.key
    0:d=0  hl=3 l= 182 cons: SEQUENCE          
    3:d=1  hl=2 l=   1 prim: INTEGER           :00
    6:d=1  hl=2 l=  16 cons: SEQUENCE          
    8:d=2  hl=2 l=   7 prim: OBJECT            :id-ecPublicKey
   17:d=2  hl=2 l=   5 prim: OBJECT            :secp384r1

I think this is a problem of FOP2 because testing the 4445 port with openssl command it doesn't return the Certificate info:

$ openssl s_client -showcerts -connect pbx.example.com:4445
CONNECTED(00000003)
C0E148ADE87F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:308:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 334 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Let's me know if you need more info.

Thank you in advance

Comments

  • I'm having similar issues, but I don't think that's the correct location for the LetsEncrypt certs that FreePBX manages. Those appears to be the self-signed certs. What we need is either in /etc/asterisk/keys/integration/ or /etc/asterisk/keys/integration/www.yourdomain.com
    There are files that appear to be the certificate and key file in both locations. But no matter what I put into fop2.cfg it doesn't work.

  • This is what we have in fop2.cfg that seems to work. The user panel still isn't loading, but the page displays the correct cert info.
    ssl_certificate_file=/etc/httpd/pki/webserver.crt
    ssl_certificate_key_file=/etc/httpd/pki/webserver.key

  • The certs in the fop2.cfg file are only read by the websocket server (fop2_server), not your web server. If the user panel is not loading is because most probably it is using incorrect certs. There is a script provided /usr/local/fop2/setSSL.sh that tries to find the cert files from the apache config files and set them accordingly. You might want to try running that script and see if it find the certs and set it up on your fop2.cfg file.

Sign In or Register to comment.