Bela Posted May 2, 2012 Report Share Posted May 2, 2012 I have looked through the forums, but this does not seem to have been answered. I have tried to install a private key, plus an SSL certificate form two CAs (Startcom and Geotrust), but no matter what after I install it as a server certificate, I get an SSL error, and cant connect to the PBX web server securely until i delete the cert. The error is different depending on the browser, but none of them work. The cert is 2048 bit, as its not possible to get any lower ones. I installed the cert and the intermediary cert, and the private key. The Trusted root CA is there for both Geotrust and Startcom. Any ideas? Thanks in advance. Bela Quote Link to comment Share on other sites More sharing options...
Vodia support Posted May 2, 2012 Report Share Posted May 2, 2012 Please use only 512 and 1024 bit certificates. The system currently has trouble handling certificates with other sizes. The security and the performance on these certificates is still reasonable. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted May 3, 2012 Report Share Posted May 3, 2012 Please use only 512 and 1024 bit certificates. The system currently has trouble handling certificates with other sizes. The security and the performance on these certificates is still reasonable. Thats incorrect. snom ONE can deal with 2048 bits. You need to install that as server cert, and you must include the private key as well (everything base64 encoded). if you import a certificate chain, make sure that the Root CA is at the top and the intermediate right below it. You should see that also in the wireshark trace then. Quote Link to comment Share on other sites More sharing options...
Bela Posted May 3, 2012 Author Report Share Posted May 3, 2012 Thats incorrect. snom ONE can deal with 2048 bits. You need to install that as server cert, and you must include the private key as well (everything base64 encoded). if you import a certificate chain, make sure that the Root CA is at the top and the intermediate right below it. You should see that also in the wireshark trace then. Well, yes, its impossible to buy a signed SSL certificate from a trusted CA bellow 2048 bits since long time ago... On the other note, I have tried everyting, but I get the same errors. When adding to Snome One, in the certificate field, I entered the Web Server certificate, empty line, then the Root CA from Geotrust, empty line, then the Intermediary CA from Geotrust. In the private key section, i enter the private key. I add it as a server certificate chain+private key. I see the domain name in the certificate list. But when I try to acess the admin web via https I get the errors... Bela Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted May 3, 2012 Report Share Posted May 3, 2012 I believe you are almost there... Because it is a chain, I would use the Web Server certificate, empty line, then the Intermediary CA from Geotrust, then the Root CA from Geotrust. Empty lines dont matter, just make sure that the ---BEGIN CRETIFICATE----- and ----END CERTIFICATE---- are there. Quote Link to comment Share on other sites More sharing options...
Vodia support Posted May 3, 2012 Report Share Posted May 3, 2012 Thats incorrect. snom ONE can deal with 2048 bits. You need to install that as server cert, and you must include the private key as well (everything base64 encoded). if you import a certificate chain, make sure that the Root CA is at the top and the intermediate right below it. You should see that also in the wireshark trace then. http://wiki.snomone.com/index.php?title=Certificates Will have to change this information on the wiki. Thanks Quote Link to comment Share on other sites More sharing options...
Bela Posted May 3, 2012 Author Report Share Posted May 3, 2012 I believe you are almost there... Because it is a chain, I would use the Web Server certificate, empty line, then the Intermediary CA from Geotrust, then the Root CA from Geotrust. Empty lines dont matter, just make sure that the ---BEGIN CRETIFICATE----- and ----END CERTIFICATE---- are there. I think I already tried in this order, but nevertheless I did it again... Same error... In chrome: SSL connection error Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error. In Firefox: Secure Connection Failed An error occurred during a connection to sip.xxxxxxx.com:xxxx. SSL received a record with an incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_read) Internet Explorer doesnt even connect... This all happens if I add it as a Server Certificate Chain+key. If I add it as a Domain Certificate chain, Snom One doesnt even use it, although the domain in the cert matches the domain of snom one, but instead presents the "Snom One Intermediate" certificate for https traffic... Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted May 4, 2012 Report Share Posted May 4, 2012 Maybe you can give us a PCAP trace and the certificates in Base64 format (just send a private message). It seems there is something wrong with the certificate chain representation in the TLS stream. Quote Link to comment Share on other sites More sharing options...
Bela Posted May 5, 2012 Author Report Share Posted May 5, 2012 Maybe you can give us a PCAP trace and the certificates in Base64 format (just send a private message). It seems there is something wrong with the certificate chain representation in the TLS stream. You mean, that I should capture the IP packets? I guess if you have the certs, and install them in a Snom One, you will have the same problem. And since this happens with two certification authorities, I assume its something in the Snom ONE. Nevertheless, I can send you the certs in PM, but then I would have to send you the private key as well? Bela Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted May 6, 2012 Report Share Posted May 6, 2012 Nevertheless, I can send you the certs in PM, but then I would have to send you the private key as well? Yes, the certificate works only if we have the private key as well. We'll keep it for ourselves, promise! Quote Link to comment Share on other sites More sharing options...
hosted Posted November 22, 2012 Report Share Posted November 22, 2012 i cant for the life of me get this to work. if I do WEB cert, Intermediary cert, Root cert in the Certificate field. and the private key in the private key field. and it does not show up in the cert list. IF i sput the web cert last it shows up but doesnt work. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted November 24, 2012 Report Share Posted November 24, 2012 I think the problem is that the key header is "BEGIN PRIVATE KEY" while the PBX would expect "BEGIN RSA PRIVATE KEY". Also if this is a domain key pair, the subject must be exactly the domain name. Wildcards don't work. Quote Link to comment Share on other sites More sharing options...
hosted Posted November 25, 2012 Report Share Posted November 25, 2012 awe dang, add wildcard to a feature wishlist wildcards would be required for hosting. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted November 25, 2012 Report Share Posted November 25, 2012 Well you can use wildcards for the system, no problem there. For example *.myhostedpbx.com But not for a domain. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.