Webphone Browser-Phone does not work with letsencrypt certificates

[jromero17]

Webphone Browser-Phone does not work with letsencrypt certificates, please, I appreciate your guidance.

On LAN with self signed certificate it worked, but with letsencrypt certificates it does not work, it does not register.

The asterisk PBX is on the LAN and I am forwarding.

The IP PBX with asterisk has apache server, I installed a wordpress template and also the DNS server.

On the LAN it works, but with Letsencrypt it does not work.

The Asterisk IP PBX has FreePBX installed to manage it, I am using only PJSIP.

I am using VirtualHost in apache and several subdomains in the domain certificate creation and all those subdomains are configured in the DNS server.

En español

Webphone Browser-Phone no funciona con certificados letsencrypt, por favor, agradezco una orientación.

En la LAN con certificado autofirmado funcionó, pero con certificados letsencrypt no funciona, no se registra.

La central asterisk esta en la LAN y estoy haciendo forwarding.

La central IP con asterisk tiene server apache, instale una plantilla de wordpress y también esta el servidor DNS.

En la LAN funciona, pero con Letsencrypt no funciona.

La central IP Asterisk tiene instalado FreePBX para gestionar la misma, estoy usando solo PJSIP.

Estoy usando VirtualHost en apache y varios subdominios en la creacion del certificado del dominio y todos esos subdominios estan configurados en el servidor DNS.

Por favor alguna orientación.

[jromero17]

También probé poniendo la central con IP Publica, tampoco funcionó.

[InnovateAsterisk]

I'm sure that Let's Encrypt certificates work. Here is an example: https://www.innovateasterisk.com/phone/
Also with WordPress on the root.

There must be a config issue. When you say that it does not register, what does it show in the Developer Console? Also, since you say it's not registering, that sounds like the Phone code/UI is loading right?
So this appears only to be a connection error for the underlying WebSocket connection. Are you sure that the port, and path are set correctly?

[jromero17]

Greetings thanks for answering, as I mentioned before with a self-signed certificate for a private IP 192.168.2.60 it worked for me, here is evidence that in the local network (LAN) it worked for me with a self-signed certificate.

But now with a real domain it does not work for me, you can look here: https://app.iscotel.com.ve/

En Español:

Saludos gracias por contestar, como mencione anteriormente con un certificado autofirmado para una IP privada 192.168.2.60 me funcionó, aqui se evidencia que en la red local (LAN) me funcionó con un certificado autofirmado.

Pero ahora con un dominio real no me funciona, puede mirar aquí: https://app.iscotel.com.ve/

[jromero17]

Here is evidence that in the LAN it worked for me

Communication error between Browser-Phone and Linphone. #552

[jromero17]

Creating User Agent... phone.js:1928:13
Creating User Agent... Done phone.js:2009:13
Creating Registerer... Done phone.js:2060:13
User Agent Connecting to WebSocket... phone.js:2080:13
Tue Oct 01 2024 14:21:47 GMT-0400 (hora de Venezuela) | sip.UserAgent | Starting sip:2201@app.iscotel.com.ve sip-0.20.0.min.js:2:127164
Tue Oct 01 2024 14:21:47 GMT-0400 (hora de Venezuela) | sip.UserAgent | Transitioned from Stopped to Started sip-0.20.0.min.js:2:127164
Tue Oct 01 2024 14:21:47 GMT-0400 (hora de Venezuela) | sip.Transport | Connecting wss://app.iscotel.com.ve:8089/ws sip-0.20.0.min.js:2:127164
Tue Oct 01 2024 14:21:47 GMT-0400 (hora de Venezuela) | sip.Transport | Transitioned from Disconnected to Connecting sip-0.20.0.min.js:2:127164
Firefox no puede establecer una conexión con el servidor en wss://app.iscotel.com.ve:8089/ws. sip-0.20.0.min.js:2:223358
Tue Oct 01 2024 14:21:49 GMT-0400 (hora de Venezuela) | sip.Transport | WebSocket error occurred. sip-0.20.0.min.js:2:127094
Tue Oct 01 2024 14:21:49 GMT-0400 (hora de Venezuela) | sip.Transport | WebSocket closed unexpectedly sip-0.20.0.min.js:2:127130
Tue Oct 01 2024 14:21:49 GMT-0400 (hora de Venezuela) | sip.Transport | WebSocket closed wss://app.iscotel.com.ve:8089/ws (code: 1015) sip-0.20.0.min.js:2:127164
Tue Oct 01 2024 14:21:49 GMT-0400 (hora de Venezuela) | sip.Transport | Transitioned from Connecting to Disconnected sip-0.20.0.min.js:2:127164
WebSocket Connection Failed: Error: WebSocket closed wss://app.iscotel.com.ve:8089/ws (code: 1015)
onWebSocketClose https://dtd6jl0d42sve.cloudfront.net/lib/SipJS/sip-0.20.0.min.js:2
_connect https://dtd6jl0d42sve.cloudfront.net/lib/SipJS/sip-0.20.0.min.js:2
phone.js:2111:13
Unregister... phone.js:2118:13
Tue Oct 01 2024 14:21:49 GMT-0400 (hora de Venezuela) | sip.Registerer | Not currently registered, but sending an unregister anyway. sip-0.20.0.min.js:2:127130
Tue Oct 01 2024 14:21:49 GMT-0400 (hora de Venezuela) | sip.Registerer | Waiting toggled to true sip-0.20.0.min.js:2:127164
Reconnect Transport... phone.js:2148:13
Waiting to Re-connect... 3 Attempt remaining 999 phone.js:2171:13
Tue Oct 01 2024 14:21:49 GMT-0400 (hora de Venezuela) | sip.user-agent-client | Not connected. sip-0.20.0.min.js:2:127094
Tue Oct 01 2024 14:21:49 GMT-0400 (hora de Venezuela) | sip.user-agent-client | User agent client request transport error. Generating internal 503 Service Unavailable. sip-0.20.0.min.js:2:127094
Tue Oct 01 2024 14:21:49 GMT-0400 (hora de Venezuela) | sip.Registerer | Unregister rejected with status code 503 sip-0.20.0.min.js:2:127094
Tue Oct 01 2024 14:21:49 GMT-0400 (hora de Venezuela) | sip.Registerer | Registration transitioned to state Unregistered sip-0.20.0.min.js:2:127164
User Agent Registration State: Unregistered phone.js:2063:17
Tue Oct 01 2024 14:21:49 GMT-0400 (hora de Venezuela) | sip.Registerer | Waiting toggled to false

[InnovateAsterisk]

Your web page works fine, and im able to register my own extension to my own server without a problem. There are two connections to consider, the page that hosts the HTML and javascript that makes up the phone - and then the WebSocket that connects back to Asterisk. Right now your problem is with the WebSocket connection.

wss://app.iscotel.com.ve:8089/ws <- This is the problem.

You can test the SSL of your connection by using HTTPS and seeing if it can respond with the request to upgrade. The error you want to get off this: https://app.iscotel.com.ve:8089/ws is something like "Error upgrade required..." I see it responds with an SSL error, so the browser is not able to perform the SSL handshake, before even sending the request.

Make sure you have correctly referenced the Let's Encrypt PEM file in your Asterisk http.conf file (if you are hosting the WebSocket directly in Asterisk).

[jromero17]

Please can you explain me a little better, I don't understand much what you are telling me:

The IP PBX is here ang.iscotel.com.ve
the webphone is at app.iscotel.com.ve

This is in the same equipment.

Everything is configured with VirtualHost of apache.

It is a test equipment, to tune it, to make it work.

How should be the expression:

wss://domain.com:port/ws

Follow my domain and subdomains.

[InnovateAsterisk]

In the example of the log above, it says:

WebSocket Connection Failed: Error: WebSocket closed wss://app.iscotel.com.ve:8089/ws (code: 1015)

This means the Browser Phone is attempting to connect to your Asterisk at wss://app.iscotel.com.ve:8089/ws but this fails.

I can reach https://app.iscotel.com.ve, and I get the browser phone. This page is be served by Apache/2.4.61 (Debian).

So far so good, this is correct. Now to solve the WebSocket Connection issue.

The URL ang.iscotel.com.ve does not resolve, so first you need to solve this, or continue to use app.iscotel.com.ve as the server address pointing to Asterisk - this is possible, as you will operate over another port - 8089.

Are you using Reverse Proxy with Apache for WebSocket forwarding? I would recommend this.
https://www.innovateasterisk.com/s2e1-webrtc-reverse-proxy/

Otherwise use port forwarding on port 8089 directly to Asterisk (on whatever port is defined for http TLS)

In the end you will either have app.iscotel.com.ve:8089 or ang.iscotel.com.ve:8089 point to Asterisk. This connection can be directly via port forward, or proxy via Apache.

[jromero17]

Good afternoon Mr. Conrad, thank you for your great explanation. Following your instructions in the Video Tutorial, I was able to configure the apache VirtualHost with reverse proxy.

Already the Browser Phone registers.

I can establish a call between the webphone and linphone, but the audio is heard, the voice is not heard.

Maybe it is a NAT thing, since the pbx are in the LAN and the webphone being registered from the LAN with public domain goes out and in, goes out to the public area and then enters the private network segment. So it is a codec problem, I will do some other tests.

I opened the rtp ports from 10000 to 60000 to test, but I can't hear the audio.

Another thing, the call is established for 30 seconds, then hangs, I don't know if this Browser-Phone webphone has any time limitation.

EN ESPAÑOL

Buenas tardes Señor Conrad, gracias por su magnifica explicación. Siguiendo sus indicaciones del Video Tutorial, pude configurar el VirtualHost de apache con proxy en reversa.

Ya el Browser Phone se registra.

Puedo establecer una llamada entre el webphone y linphone, pero se se escucha el audio, no se escucha la voz.

Puede que sea cosa de NAT, ya que la pbx estan en la LAN y los webphone estando registrados desde la LAN con dominio publico sale y entra, sale al ambito publico y luego entra al segmento de red privado. O sea un problema de codecs, haré algunas otras pruebas.

Los puertos rtp los abri desde 10000 hasta 60000 para probar, pero nada que se escucha el audio.