HTTPS Setup using self signed cert not working

I made a certificate myself by this command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout webserver.key -out webserver.crt

and replaced this two with the files that are used in httpd/ssl.conf

and now I can access to UCP via https/https from FireFox and Chrome. But webRTC phone doesn’t register.

So for first thing: certman is using other method/options for certification generation?
and about second: I don’t receive any traffic from webRTC phone (even any error), how can I debug this?

You need to go into certman and set the certificate you uploaded as the default. It’ll have a green checkmark next to it. Then apply config. Then restart.

dear I did this always.

The bug you reported ( http://issues.freepbx.org/browse/FREEPBX-12617 ) against webrtc is invalid. I’ve checked webrtc with experts (@billsimon) and we don’t have to do the work around you’ve listed as it’s partially done in the library we use. I still think there’s a major issue with your system

From this and the other few confusing threads on this issue I am gathering that some users are trying to use both http and https in their environments.

@psdk can you use your browser’s developer tools to be SURE everything is going over https and wss in your setup?

Sorry. But I did my test with 3 systems, in different environments (network,clients).
I’m confused.

I installed a 64-bit version today. after installation, I updated it to 10.13.66-12 with update script. enable Edge and upgrade all modules to latest.
I made a self-signed certificate and install it in Sysadmin.

Point: My test environment was completely different from other my tests.

Result: I could only login to ucp via https with Firefox, and webRTC phone didn’t register.
I login to ucp via http and webRTC phone registered but I had “UNREACHABLE” issue again.

So please don’t tell me this is my installation issue. this makes me crazy.

Well I am sorry to keep telling you this but I can’t replicate it. My support team can’t. My development team can’t. Other users can’t. I don’t know what you expect us to fix when there is nothing we can figure out.

Perhaps you should consider that we really can’t help you here because of import export laws of cryptographic technologies as well.

The code is open source. So I encourage you to try to figure out the solution yourself. When you do you can post here of course or open a bug but right now we aren’t getting anywhere.

yes you’re right. But please advice me again.
My steps are right?
1-download 64-bit ISO.
2-installed it. (almost my tests are on VMware) and IP from DHCP.
3-after installing and running first boot script I upgrade it to latest version via upgrade script.
4-after finishing this, I reboot the system.
5-access to web
6-activate system
7-enable edge
8-update all modules
9-delete default certificate
10-generate a self-signed
11-import in to Apache with Sysadmin
12-create 2 extensions
13-enable UCP and webRTC for one of them.

and then I’ll test call between them.

I suggest you delete the default CA as well.

yes i did. sorry I wrote bad.
So do you do these steps too?

yes and it works fine.

after yesterday updates, when I login via https to Firefox, I see below errors in Asterisk : (webRTC phoe couldn’t register yet)

[2016-06-30 09:02:33] ERROR[2764]: tcptls.c:609 handle_tcptls_connection: Problem setting up ssl connection: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
[2016-06-30 09:02:33] WARNING[2764]: tcptls.c:684 handle_tcptls_connection: FILE * open failed!

There were no updates made to anything we have discussed here.

Considering you are coming from Iran. I have no doubt that there are import/export laws specifically prohibiting certain cryptographic technologies from going into your country. Our company is in Canada and the United States, respectively, and thus we really can’t be providing cryptographic support services.

I checked module update and I noticed one UCP update so I did. and then I received this dear.

Dear these are totally local environment and government and lows doesn’t do any interference.

We can keep arguing if you wish however UCP doesn’t do anything with certificates.

what about sipjs for webRTC phone?

That is part of the webrtc module.

1 Like

Hi Everybody,

I just want to give this little contribution, that I had almost all Problems described above as well, and I as well used self signed Certificate, which only made WebRTC on http, but not https working.

But after installing an Let’s Encrypt Certificate (which is for free) and reinstalling the UCP Node Server Module, all looks well for me know.
I can logon with https on my UCP Panel, and all Modules are started and “green”, Web Phone as well as XMPP.
So the magic Trick here obviously is really the Let’s encrypt Certificate.

Hope, I could help to not try hours for hours, but go for the Let’s encrypt Certificate right away.

Cheers, NUB

1 Like

I forgot to mention, that I have a new / different Problem now, which is that I cant call while getting below Error Message,

chan_sip.c:10427 process_sdp: Can’t provide secure audio requested in SDP offer

but I will open a separate case for this this.