Problem with using SSL connection (wss)

Discussion in 'Web Call Server 4' started by Petr, Nov 26, 2015.

  1. Petr

    Petr New Member

    Hi. On my web-server i use SSL connection. So, when i have running your server and connect from web-interface phone (Phone.html), i have receive error, which says that connection to wss is refused. So, i must send to you logs and cond in zip?) And another problem, with importing intermediate certificate: in documentation it has .pem file extension, but i have .crt extension. What to do with this?
    Additional:
    In PDF documentation for admins (russian version) there is a trouble: many consol commands are cutted. In HTML version all ok.
  2. Max

    Max Administrator Staff Member

    Try to set:
    Code:
     <url_ws_server>wss://host:8443</url_ws_server>
    in examples/flashphoner.xml (client-side)
    wss - means secure websocket over SSL will be used
    8443 - port
    Test
    Open this page in web browser: https://host:8443
    If certificate is imported properly, this page should be empty and you should see certificate icon in the browser url string.
    Then you can try to connect from Phone.html.
    See Chrome Developer Console output and 'Network' tab for debug.
    Try to convert your .crt file to .pem using keytool
    or just try to use your .crt files instead of .pem
  3. Petr

    Petr New Member

    So, i have tried to open https://host:8443 (yes, with my real address, not "host"). Don't have connect, but server is started (check for status).
    And my questions:
    1. Is there any params in config files, which i must inspect?
    2. "Try to convert your .crt file to .pem using keytool" - how? Some like that:
    keytool -import -keystore /usr/local/FlashphonerWebCallServer/conf/wss.jks -file intermediate.crt ?
  4. Max

    Max Administrator Staff Member

  5. Max

    Max Administrator Staff Member

  6. Petr

    Petr New Member

    No, don't help. In chrome : ERR_CONNECTION_REFUSED. And port 8443 is open (by lsof -i :8443). So, what may be a trouble? Or where in logs it will show information about erros with certificates?
  7. Max

    Max Administrator Staff Member

    try this port via
    Code:
    >telnet host 8443
    Is this open?
  8. Petr

    Petr New Member

    By that:
    telnet: connect to address <my_host>: Connection refused
    But by lsof -i :8443:
    COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
    java 12345 root 61u IPv4 896188733 0t0 TCP *:pcsync-https (LISTEN)
  9. Max

    Max Administrator Staff Member

    maybe your 8443 port is closed by a firewall?
  10. Petr

    Petr New Member

    No. And for test i terned him off. However, 8080 port is open and it works, but for 8443 is such problem.
  11. Max

    Max Administrator Staff Member

    Most likely it is a certificate issue.
    Try to replace wss.jks file with one of Web Call Server installation archive.
    Then stop/start server and try https://host:8443
    If it works correct, import your certificates again using the keytool and stop/start server again.
    You can also send us your actual wss.jks and its password by email. We can check its certificate content by keytool.
  12. Petr

    Petr New Member

    So, it'certs. I make first steps for setting wss.jks from original archive. And it works. Also and telnet variant too)
    Which files do you need and for what e-mail?
  13. Max

    Max Administrator Staff Member

    When you are using the keytool, you import your SSL certificates and keys into the wss.jks (java key store for websocket SSL).
    So try to import your certificates into wss.jks from scratch and restart WCS server.
    If it does not help, you can send your certificates to logs@flashphoner.com we will try to import it on our testing server. If it went well we will describe our steps.
  14. Petr

    Petr New Member

  15. Max

    Max Administrator Staff Member

    We have successfully imported your certificates and tested wss connection.
    It works for us.
    Please follow the instruction below.
    'mydomain' is domain name of your server.

    1. Remove self-signed certificate from the keystore
    Code:
    keytool -delete -alias selfsigned -keystore /usr/local/FlashphonerWebCallServer/conf/wss.jks
    2. Create a new keystore based on the certificate and private key
    Code:
    openssl pkcs12 -export -in mydomain_root.crt -inkey mydomain.key -out mydomain.p12 -name "mydomain"
    3. Import the newly created keystore into existing wss.jks
    Code:
    keytool -importkeystore -srckeystore mydomain.p12 -srcstoretype PKCS12 -destkeystore /usr/local/FlashphonerWebCallServer/conf/wss.jks
    Enter destination keystore password:
    Enter source keystore password:
    Entry for alias mydomain successfully imported.
    Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
    4. Import intermediary certificate into the wss.jks keystore
    Code:
    keytool -import -keystore /usr/local/FlashphonerWebCallServer/conf/wss.jks -file intermediate.pem -alias ca-root
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    5. Restart WCS server.
    Code:
    cd /usr/local/FlashphonerWebCallServer/bin
    ./webcallserver restart
    6. Use wss://mydomain:8443 as connection WSS URL.
  16. Petr

    Petr New Member

    So, don't help. But, have you tested your server in OpenVZ?
  17. Max

    Max Administrator Staff Member

    We tested it on a VPS Xen server, Amazon EC2, Digitalocean virtiual servers, vmware, and other virtual environments.
    We didn't test it with OpenVZ as I know.
    By the way, did you install Oracle JDK? Maybe it would help to fix the issue.
  18. Petr

    Petr New Member

    Yes. JDK is installed. I think, it's problem with our VPS on OpenVZ.

Share This Page