<div><div dir="auto">Actually. Careful. There are scenarios where just doing that will not work. </div></div><div dir="auto"><br></div><div dir="auto">The RR headers will have your FQDN most likely if you don’t want to break reinvites</div><div dir="auto"><br></div><div dir="auto">So for that to work you will need either multiple certs, a wildcard cert, or a cert with multiple SANs where you include the “<a href="http://pbx.example.com">pbx.example.com</a>” and “<a href="http://Kamailio1.example.com">Kamailio1.example.com</a>” etc.</div><div dir="auto"><br></div><div dir="auto">If you want you can check this issue:</div><div dir="auto"><br></div><div dir="auto"><div><a href="https://github.com/kamailio/kamailio/issues/1581">https://github.com/kamailio/kamailio/issues/1581</a></div><br></div><div dir="auto">It’s not related to your question directly but it explains why I’m telling you this. </div><div dir="auto"><br></div><div dir="auto">Hope it helps. </div><div dir="auto"><br></div><div dir="auto">Best regards,</div><div dir="auto">Joel. </div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><br></div><div><br><div class="gmail_quote"><div dir="ltr">On Tue, Oct 2, 2018 at 12:09 Sergey Basov <<a href="mailto:sergey.v.basov@gmail.com">sergey.v.basov@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi Kevin</div><div><br></div><div>You need TLS certificate for domain which you will setup on SIP clients to connect to.</div><div><br></div><div>So if your SIP domain is <a href="http://pbx.example.com" rel="noreferrer" target="_blank">pbx.example.com</a> and you will provide DNS-SRV record for it - then you need TLS certificate for <a href="http://pbx.example.com" rel="noreferrer" target="_blank">pbx.example.com</a></div><div><div><div dir="ltr" class="m_-3893185765711491501gmail_signature" data-smartmail="gmail_signature">--<br>Best regards,<br>Sergey Basov e-mail: <a href="mailto:sergey.v.basov@gmail.com" target="_blank">sergey.v.basov@gmail.com</a><br></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr">вт, 2 окт. 2018 г. в 12:44, Kevin Olbrich <<a href="mailto:ko@sv01.de" target="_blank">ko@sv01.de</a>>:<br></div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi!<br>
<br>
Which hostname do I need to request for the certificate when the<br>
servers are load-balanced using DNS-SRV?<br>
Do I need to get the cert for the DNS-SRV subdomain (without<br>
_sip._tls) or for the servers, eg. server0{1,2,3}.<a href="http://pbx.example.com" rel="noreferrer" target="_blank">pbx.example.com</a> ?<br>
<br>
Thank you!<br>
<br>
Kevin<br>
<br>
_______________________________________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote></div>
_______________________________________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote></div></div>