<div dir="ltr">Hi Igor,<div><br></div><div>Ran into the same issue previously, glad you figured it out as well.<div><br></div><div>In Debian for example:</div><div>ca_list = /etc/ssl/certs/ca-certificates.crt<br></div><div><br></div><div>BTW, alternatively, you could just deploy the Baltimore CA root cert that Microsoft uses instead of loading the full CA root list, if the SBC will be used solely for MS Direct Routing. From the MS docs:</div><div><br></div><div><b>Deploy Baltimore Trusted Root Certificate</b>
<br>Loading Baltimore Trusted Root Certificates is mandatory
for implementing a TLS connection with the Microsoft Teams network.
<br>The DNS name of the Teams Direct Routing interface is <a href="http://sip.pstnhub.microsoft.com">sip.pstnhub.microsoft.com</a>. <br>In this
interface, a certificate is presented which is signed by Baltimore Cyber Baltimore CyberTrust
Root with Serial Number: 02 00 00 b9 and SHA fingerprint: d4:de:20:d0:5e:66:fc:
53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74.
<br>To trust this certificate, your SBC must have the certificate in Trusted Certificates storage.
Download the certificate from <a href="https://cacert.omniroot.com/bc2025.pem">https://cacert.omniroot.com/bc2025.pem</a> and follow the steps
above to import the certificate to the Trusted Root storage. <br></div><div><br></div><div>Cheers,</div><div>--Sergiu<br><div><br></div><div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Mar 29, 2020 at 10:14 AM Igor Olhovskiy <<a href="mailto:igorolhovskiy@gmail.com">igorolhovskiy@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Thanks! That did the trick (Debian 10)<br>
</p>
<div><br>
</div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal">[server:default]</span></font></div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal">method =
TLSv1.2+</span></font></div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal">verify_certificate
= yes</span></font></div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal">require_certificate
= yes</span></font></div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal">private_key
= /etc/kamailio/tls/myserver.key</span></font></div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal">certificate
= /etc/kamailio/tls/myserver.crt</span></font></div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal"># Points
to your root CA list<br>
</span></font></div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal">ca_list =
/etc/ssl/certs/ca-certificates.crt</span></font></div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal"><br>
</span></font></div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal">[client:default]</span></font></div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal">method =
TLSv1.2+</span></font></div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal">verify_certificate
= yes</span></font></div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal">require_certificate
= yes</span></font></div>
<div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal">private_key
= /etc/kamailio/tls/myserver.key</span></font></div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal">certificate
= /etc/kamailio/tls/myserver.crt</span></font></div>
<div><font size="-1" face="Courier New, Courier,
monospace"><span style="font-style:normal">ca_list
= /etc/kamailio/tls/issuer.crt</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal"><br>
</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">Now takes longer to
reload TLS config and need to increase PKG/SHM size to
process full list, but it's ok )<br>
</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal"><br>
</span></font></div>
</div>
<div>On 29.03.2020 13:54, Alexey Vasilyev
wrote:<br>
</div>
<blockquote type="cite">
<div>Hi Igor,</div>
<div><br>
</div>
<div>Because these errors about verification of Microsoft
certificate.</div>
<div>/etc/kamailio/tls/issuer.cer should contain
certificate authorities list, which contains trusted root
certificates.</div>
<div>For example, for CentOS7
/etc/ssl/certs/ca-bundle.crt</div>
<br>
<div>
<span style="border-collapse:separate;color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<div>-----</div>
<div>Alexey Vasilyev</div>
<div><a href="mailto:alexei.vasilyev@gmail.com" target="_blank">alexei.vasilyev@gmail.com</a></div>
<div><br>
</div>
</span><br>
</div>
<br>
<div>
<blockquote type="cite">
<div>29 Mar 2020, в 11:36, Igor Olhovskiy <<a href="mailto:igorolhovskiy@gmail.com" target="_blank">igorolhovskiy@gmail.com</a>>
написал(а):</div>
<br>
<div>
<div style="overflow-wrap: break-word;">Hi!
<div><br>
</div>
<div>Actually I’m trying to get Kamailio to work
as MS Teams SBC following by perfect article</div>
<div><a href="https://skalatan.de/en/blog/kamailio-sbc-teams" target="_blank">https://skalatan.de/en/blog/kamailio-sbc-teams</a></div>
<div>It works well, but one thing is bothering
me.</div>
<div>I’m using Let’sEncrypt certs (actually,
works well), but with setting in <b>tls.conf</b></div>
<div>
<div><br>
</div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">verify_certificate
= yes</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">require_certificate
= yes</span></font></div>
</div>
<div><br>
</div>
<div>It’s giving an errors like </div>
<div><br>
</div>
<div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">/usr/sbin/kamailio[4551]:
ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
write:error:1416F086:SSL
routines:tls_process_server_certificate:certificate
verify failed</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">/usr/sbin/kamailio[4551]:
ERROR: <core> [core/tcp_read.c:1505]:
tcp_read_req(): ERROR: tcp_read_req: error reading
- c: 0x7f03e6d23d88 r: 0x7f03e6d23e08 (-1)</span></font></div>
</div>
<div><br>
</div>
<div>They are resolved with setting these
settings (<font face="FiraCode-Retina"><span style="font-style:normal">verify/require</span></font>)
to off (actually, as mentioned here - <a href="https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/" target="_blank">https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/</a>),
but I’m really curious - why?</div>
<div><br>
</div>
<div>As I got, it’s using <b>openssl
verify</b> on a background, but this check locally
passed with </div>
<div><br>
</div>
<div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">openssl
verify -CAfile issuer.crt myserver.crt</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">myserver.crt:
OK</span></font></div>
</div>
<div><br>
</div>
<div>So, is there any tricks to lets encrypt or
just some misconfig in <b>tls.cfg</b>?</div>
<div><br>
</div>
<div>Now it looks like one from article</div>
<div><br>
</div>
<div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">[server:default]</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">method =
TLSv1.2+</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">verify_certificate
= yes</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">require_certificate
= yes</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">private_key =
/etc/kamailio/tls/myserver.key</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">certificate =
/etc/kamailio/tls/myserver.crt</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">ca_list =
/etc/kamailio/tls/issuer.crt</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal"><br>
</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">[client:default]</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">method =
TLSv1.2+</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">verify_certificate
= yes</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">require_certificate
= yes</span></font></div>
<div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">private_key
= /etc/kamailio/tls/myserver.key</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">certificate
= /etc/kamailio/tls/myserver.crt</span></font></div>
<div><font face="FiraCode-Retina"><span style="font-style:normal">ca_list =
/etc/kamailio/tls/issuer.crt</span></font></div>
</div>
<div>
<div>—</div>
<div>Regards, Igor</div>
<div><br>
</div>
<br>
</div>
<br>
</div>
</div>
_______________________________________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</div>
</blockquote>
</div>
<br>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Kamailio (SER) - Users Mailing List
<a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre cols="72">--
Regards, Igor</pre>
</div>
_______________________________________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote></div>