<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi!<div class=""><br class=""></div><div class="">Actually I’m trying to get Kamailio to work as MS Teams SBC following by perfect article</div><div class=""><a href="https://skalatan.de/en/blog/kamailio-sbc-teams" class="">https://skalatan.de/en/blog/kamailio-sbc-teams</a></div><div class="">It works well, but one thing is bothering me.</div><div class="">I’m using Let’sEncrypt certs (actually, works well), but with setting in <b class="">tls.conf</b></div><div class=""><div class=""><br class=""></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">verify_certificate = yes</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">require_certificate = yes</span></font></div></div><div class=""><br class=""></div><div class="">It’s giving an errors like </div><div class=""><br class=""></div><div class=""><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">/usr/sbin/kamailio[4551]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">/usr/sbin/kamailio[4551]: ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f03e6d23d88 r: 0x7f03e6d23e08 (-1)</span></font></div></div><div class=""><br class=""></div><div class="">They are resolved with setting these settings (<font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">verify/require</span></font>) to off (actually, as mentioned here - <a href="https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/" class="">https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/</a>), but I’m really curious - why?</div><div class=""><br class=""></div><div class="">As I got, it’s using <b class="">openssl verify</b> on a background, but this check locally passed with </div><div class=""><br class=""></div><div class=""><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">openssl verify -CAfile issuer.crt myserver.crt</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">myserver.crt: OK</span></font></div></div><div class=""><br class=""></div><div class="">So, is there any tricks to lets encrypt or just some misconfig in <b class="">tls.cfg</b>?</div><div class=""><br class=""></div><div class="">Now it looks like one from article</div><div class=""><br class=""></div><div class=""><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">[server:default]</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">method = TLSv1.2+</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">verify_certificate = yes</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">require_certificate = yes</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">private_key = /etc/kamailio/tls/myserver.key</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">certificate = /etc/kamailio/tls/myserver.crt</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">ca_list = /etc/kamailio/tls/issuer.crt</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class=""><br class=""></span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">[client:default]</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">method = TLSv1.2+</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">verify_certificate = yes</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">require_certificate = yes</span></font></div><div class=""><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">private_key = /etc/kamailio/tls/myserver.key</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">certificate = /etc/kamailio/tls/myserver.crt</span></font></div><div class=""><font face="FiraCode-Retina" class=""><span style="font-style: normal;" class="">ca_list = /etc/kamailio/tls/issuer.crt</span></font></div></div><div class="">
<div>—</div><div>Regards, Igor</div><div class=""><br class=""></div><br class="Apple-interchange-newline">
</div>
<br class=""></div></body></html>