TLS Port error

[Jason Kwon]

# you can listen ports 3478 and 5349 instead of 80/443
listening-port=80
tls-listening-port=443

listening-ip=your-ip-address

relay-ip=your-ip-address
external-ip=your-ip-address

realm=yourdomain.com
server-name=yourdomain.com

lt-cred-mech   
userdb=/etc/turnuserdb.conf

# use real-valid certificate/privatekey files
cert=/etc/ssl/certificate.pem
pkey=/etc/ssl/private.key

no-stdout-log

I made sample coturn(turn server) following Muaz https://www.webrtc-experiment.com/docs/TURN-server-installation-guide.html

I put my IP address in and put port like that.

after excuting turn server, I did put command "netstat -tulpn".

I was able to see 80 port, but I couldn't 443 port at all.

Is there anyone who explain what might be wrong and difference between two ports.

Thank you.

[Mihály Mészáros]

Hi,

Add verbose logging to your config, and check your logs if openssl is
compiled properly into coturn..

Check in logs that TLS/DTLS is compiled and supported in your coturn
binary...

The difference in theory is that 3478 is the not encrypted listening-port, 
and 5348 is the listening-port for encrypted TURN packets.

So if TLS listening port is not working, then you may have not configured properly openssl during coturn compilation..

(As an alternative You may could also leave the port on the standard ports
in turnserver config and from e.g. (on linux iptables) port forward port 80 and 443.

iptables -A PREROUTING -p udp -m udp --dport 80 -j REDIRECT --to-ports 3478
iptables-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3478
iptables -A PREROUTING -p udp -m udp --dport 443 -j REDIRECT --to-ports 5349
iptables -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 5349

)

Best Regards,
Misi

--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc5766-turn-server+unsubscribe@googlegroups.com.
To post to this group, send email to turn-server-project-rfc5766-turn-...@googlegroups.com.
Visit this group at https://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.

[Jason Kwon]

2016년 8월 23일 화요일 오후 4시 31분 22초 UTC+9, Jason Kwon 님의 말:

[Jason Kwon]

Hi.

Thank you for your reply.

I followed that "coTURN installation on Ubuntu".

Here is my log when turnserver is excuted.

you are right. really thank you.

Can I make my own certficate here?

I am trying to fix it

I really appreciated.

 

0: Config file found: /etc/turnserver.conf
0: Listener address to use: 10.177.174.54
0: Relay address to use: 10.177.174.54
0: Bad configuration format: it-cred-mech
0: Bad configuration format: pkey/etc/ssl/private.key
0: Config file found: /etc/turnserver.conf
0: Bad configuration format: it-cred-mech
0: Bad configuration format: pkey/etc/ssl/private.key
0: Domain name:
0: Default realm: yourdomanin.com
0:
CONFIGURATION ALERT: you specified long-term user accounts, (-u option)
        but you did not specify the long-term credentials option
        (-a or --lt-cred-mech option).
        I am turning --lt-cred-mech ON for you, but double-check your configuration.
0: WARNING: cannot find certificate file: /etc/ssl/certificate.pem (1)
0: WARNING: cannot start TLS and DTLS listeners because certificate file is not set properly
0: WARNING: cannot find private key file: turn_server_pkey.pem (1)
0: WARNING: cannot start TLS and DTLS listeners because private key file is not set properly
0: pid file created: /var/run/turnserver.pid
0: IO method (main listener thread): epoll (with changelist)
0: WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided
0: Wait for relay ports initialization...
0:   relay 10.177.174.54 initialization...
0:   relay 10.177.174.54 initialization done
0: Relay ports initialization done
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=0 created
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=1 created
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=2 created
0: IO method (udp listener/relay thread): epoll (with changelist)
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=3 created
0: turn server id=128 created
0: Total UDP servers: 1
0: Total General servers: 4
0: IO method (auth thread): epoll (with changelist)
0: IO method (cli thread): epoll (with changelist)

2016년 8월 23일 화요일 오후 5시 35분 18초 UTC+9, Mihály Mészáros 님의 말:

[Mihály Mészáros]

Hi,

Now I see from logs that you have "only" config problems.

I see few warning because the of the cert/key and typo in the log.

1. Correct it-cred-mech to lt-cred-mech in config
   
2. check pkey and certificate also
   

You could try to create a free cert with https://letsencrypt.org/

Misi

To post to this group, send email to turn-server-project-rfc5766-turn-s...@googlegroups.com.

Visit this group at https://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.

[Jason Kwon]

Hi,

Thank you for your reply.

I need your help more. it is my first time to make kinda linux server, I am doing wrong and feeling difficult.

Here is my step to goal.

1. this is my turnserver.conf below.

listening-port=86
tls-listening-port=443

listening-ip=x.x.x.x

relay-ip=x.x.x.x
external-ip=x.x.x.x

realm=x.x.x.x
server-name=x.x.x.x

It-cred-mech
userdb=/etc/turnuserdb.conf

cert=/etc/ssl/cert.pem
pkey=/etc/ssl/private.key

2. I made key and certificate like this. 

creating key

$ openssl genrsa -des3 -out private.key 1024

creating cert

$ openssl req -new -key private.key -out cert.pem

But I got Error log like 'no found certifcate and invalid key'.

0: Config file found: /etc/turnserver.conf

0: Listener address to use: 10.177.174.53
0: Relay address to use: 10.177.174.53
0: Bad configuration format: It-cred-mech

0: Config file found: /etc/turnserver.conf

0: Bad configuration format: It-cred-mech
0: Domain name:
0: Default realm: 10.177.174.53

0:
CONFIGURATION ALERT: you specified long-term user accounts, (-u option)
        but you did not specify the long-term credentials option
        (-a or --lt-cred-mech option).
        I am turning --lt-cred-mech ON for you, but double-check your configuration.

0: ERROR: SSL23: ERROR: no certificate found
0: ERROR: SSL23: ERROR: no valid private key found, or invalid private key password provided
0: ERROR: SSL23: ERROR: invalid private key
0: ERROR: TLS1.0: ERROR: no certificate found
0: ERROR: TLS1.0: ERROR: no valid private key found, or invalid private key password provided
0: ERROR: TLS1.0: ERROR: invalid private key
0: ERROR: TLS1.1: ERROR: no certificate found
0: ERROR: TLS1.1: ERROR: no valid private key found, or invalid private key password provided
0: ERROR: TLS1.1: ERROR: invalid private key
0: ERROR: TLS1.2: ERROR: no certificate found
0: ERROR: TLS1.2: ERROR: no valid private key found, or invalid private key password provided
0: ERROR: TLS1.2: ERROR: invalid private key
0: TLS cipher suite: DEFAULT
0: ERROR: DTLS: ERROR: no certificate found
0: ERROR: DTLS: ERROR: no valid private key found, or invalid private key password provided
0: ERROR: DTLS: ERROR: invalid private key
0: DTLS cipher suite: DEFAULT

0: pid file created: /var/run/turnserver.pid
0: IO method (main listener thread): epoll (with changelist)
0: WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided
0: Wait for relay ports initialization...

0:   relay 10.177.174.53 initialization...
0:   relay 10.177.174.53 initialization done

0: Relay ports initialization done
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=0 created
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=1 created
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=2 created
0: IO method (udp listener/relay thread): epoll (with changelist)
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=3 created
0: turn server id=128 created
0: IO method (udp listener/relay thread): epoll (with changelist)

0: turn server id=129 created
0: Total UDP servers: 2

0: Total General servers: 4

0: IO method (cli thread): epoll (with changelist)
0: IO method (auth thread): epoll (with changelist)

bind: Address already in use
0: Trying to bind fd 44 to <127.0.0.1:5766>: errno=98
Cannot bind CLI socket to addr: Address already in use
0: ERROR: Cannot bind CLI listener socket to addr 127.0.0.1:5766

2016년 8월 23일 화요일 오후 6시 17분 2초 UTC+9, Mihály Mészáros 님의 말:

To post to this group, send email to turn-server-project-rfc5766-turn-...@googlegroups.com.
Visit this group at https://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.