FreeSWITCH 1.8
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Certificates

This is one stumbling block for many FreeSWITCH/WebRTC newcomers. We'll need many certificate-related files, and different combination of them, to help encrypt different parts of FreeSWITCH traffic: "traditional" SIP on TLS (eg, "sips" as in classic RFC 3261), SIP on WSS, Verto on WSS, and SRTP media.

We need certificate files for the HTTPS server too, it will be serving the webpages and JavaScript loaded by browsers as our WebRTC clients.

We need the Certification Authority root and chain files.

And we'll need the private key too.

Also, original certificate files need to be concatenated in different ways to form the different ready-to-use certs we'll need.

No wonder many find this confusing.

I use one easy solution: I put all the certificate-related files in one only directory, and have both the different FreeSWITCH modules and the webserver (Apache or Nginx) to fetch them from there.

I also have a script to concatenate them in the correct way. You can use it directly (if your certificate comes from the same provider as mine), or easily modify it to suit the files sent you by your certificate provider.

First of all: forget about self-signed certificates, and similar souped-up solutions. Self-signed certificates "may" work for testing purposes, but is such a PITA to have all the moving parts correctly coordinated, it is not worth at all, and a sure recipe for a lot of time wasted and frustration. Simply put: DON'T. Use real, valid certificates for real, valid domain names (eg, no IP addresses).

If you are going to have your server(s) to answer requests for one or a few domains, you're lucky. Certificates can be obtained instantly and for free from letsencrypt.org.

If you want your server(s) to answer for all possible subdomains of a main domain (eg www.mydomain.com, sip.mydomain.com, support.mydomain.com, sip.mycustomername.mydomain.com, www.mysecondcustomername.mydomain.com, etc) you need to buy a wildcard certificate. No free options exist at the moment for wildcard certificates, but this may change in future.

In case of free (and perfectly valid) certificates made via www.letsencrypt.org (check their website for instructions):

#!/bin/sh 
cp /etc/letsencrypt/live/my.fqdn.com/* /usr/local/freeswitch/certs/ 
cd /usr/local/freeswitch/certs/ 
cat fullchain.pem privkey.pem > wss.pem 
cat cert.pem privkey.pem > agent.pem 
cat chain.pem > cafile.pem

In case of PositiveSSL wilcard certificates issued by Comodo (google around for rock bottom prices), note you must find and download the addtrustexternalcaroot.crt file:

#!/bin/sh 
cd /usr/local/freeswitch/certs/ 
cp myserver.key privkey.pem 
cp STAR_mydomain_com.crt cert.pem 
cp STAR_mydomain_com.ca-bundle chain.pem 
cat cert.pem chain.pem addtrustexternalcaroot.crt > fullchain.pem 
cat cert.pem privkey.pem fullchain.pem > wss.pem 
cat fullchain.pem privkey.pem > agent.pem 
cat chain.pem > cafile.pem
上一章目录下一章