RFC5766-turn-server with TLS

Question

I'm trying to start my TURN server with TLS enabled. I use the following line to start the server:

daemon --user=$USER $TURN $OPTIONS --tls-listening-port 3478 --cert /root/cert_2014_11/my_domain_nl.crt --pkey /root/cert_2014_11/my_domain_nl.key --CA-file /root/cert_2014_11/PositiveSSLCA2.crt

The environment variables in there are set in the config file. The server works fine without TLS using the same startup line, but if I add the three SSL related arguments, the server still isn't reachable over TLS. I tried setting a different port for SLL instead of the standard port, but it still didn't work. Whatever I do, I can reach the server without SLL, but over TLS I can't reach it. The certificate chain I use if fine, I use it for our website as well.

Answer 1

I've run into this exact problem before. Have a look at the documentation for the --CA-file argument:

--CA-file <filename>    CA file in OpenSSL format.
                        Forces TURN server to verify the client SSL certificates.
                        By default, no CA is set and no client certificate check is performed.

This argument is needed only when you will be verifying client certificates. It's not for the certificate chain for your server certificate.

Drop the --CA-file argument, keeping the --cert and --pkey arguments.

EDIT: FYI, the certificate file you give to the --cert option can contain the entire certificate chain (yours and your CA's).